{ config, lib, pkgs, zentralwerk, ... }: let cachePort = 5000; in { imports = [ ./hardware-configuration.nix ./network.nix ./updater.nix ../../modules/c3d2.nix ]; c3d2 = { hq.statistics.enable = true; simd.arch = "ivybridge"; }; boot = { tmpOnTmpfs = true; tmpOnTmpfsSize = "80%"; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; kernelModules = [ "kvm-intel" ]; kernelParams = [ "mitigations=off" "preempt=none" ]; loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; # For cross-building binfmt.emulatedSystems = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" "riscv32-linux" "riscv64-linux" ]; }; nix = { buildMachines = [{ hostName = "client@dacbert.hq.c3d2.de"; system = lib.concatStringsSep "," [ "aarch64-linux" "armv6l-linux" "armv7l-linux" ]; supportedFeatures = [ "kvm" "nixos-test" ]; maxJobs = 1; }]; daemonCPUSchedPolicy = "idle"; daemonIOSchedClass = "idle"; daemonIOSchedPriority = 7; settings = { allowed-uris = "http:// https:// ssh://"; auto-optimise-store = true; builders-use-substitutes = true; cores = 20; keep-outputs = true; max-jobs = 8; trusted-users = [ "hydra" "root" "@wheel" ]; }; }; nixpkgs.config.allowUnfree = true; # disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store # containers = { # hydra-ca = { # autoStart = true; # config = { ... }: { # imports = [ # hydra-ca.nixosModules.hydra # ]; # environment.systemPackages = with pkgs; [ git ]; # networking.firewall.allowedTCPPorts = [ 3001 ]; # nix = { # settings = { # allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/"; # builders-use-substitutes = true; # experimental-features = "ca-derivations nix-command flakes"; # extra-substituters = "https://cache.ngi0.nixos.org/"; # extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="; # substituters = [ # "https://cache.ngi0.nixos.org/" # ]; # trusted-public-keys = [ # "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" # ]; # }; # }; # nixpkgs = { # # config.contentAddressedByDefault = true; # overlays = [ self.overlay ]; # }; # services = { # hydra-dev = lib.recursiveUpdate config.services.hydra-dev { # hydraURL = "https://hydra-ca.hq.c3d2.de"; # port = 3001; # }; # }; # system.stateVersion = "22.05"; # Did you read the comment? No. # }; # hostAddress = "192.168.100.1"; # localAddress = "192.168.100.2"; # privateNetwork = true; # }; # }; networking = { hostId = "3f0c4ec4"; hostName = "hydra"; firewall.enable = false; nameservers = [ "172.20.73.8" "9.9.9.9" ]; # nat = { # enable = true; # externalInterface = "serv"; # internalInterfaces = [ "ve-hydra-ca" ]; # }; }; services = { hydra = { enable = true; buildMachinesFiles = [ "/etc/nix/machines" "/var/lib/hydra/machines" ]; hydraURL = "https://hydra.hq.c3d2.de"; logo = ./c3d2.svg; minimumDiskFree = 50; minimumDiskFreeEvaluator = 50; notificationSender = "hydra@spam.works"; useSubstitutes = true; extraConfig = let key = config.sops.secrets."nix-serve/secretKey".path; in '' binary_cache_secret_key_file = ${key} compress_num_threads = 4 evaluator_workers = 4 evaluator_max_memory_size = 2048 max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd upload_logs_to_binary_cache = true # https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional class = Password password_field = password password_type = self_check class = LDAP ldap_server = auth.c3d2.de scheme = ldaps timeout = 10 binddn = "uid=search,ou=users,dc=c3d2,dc=de" include ldap-password.conf start_tls = 0 ciphers = TLS_AES_256_GCM_SHA384 sslversion = tlsv1_3 # verify = none user_basedn = "ou=users,dc=c3d2,dc=de" user_filter = "(&(objectclass=person)(uid=%s))" user_scope = one user_field = uid deref = always # Important for role mappings to work: use_roles = 1 role_basedn = "ou=groups,dc=c3d2,dc=de" role_filter = "(&(objectclass=groupOfNames)(cn=hydra-admins))" role_scope = one role_field = cn role_value = dn deref = always # maps directly to user roles # Make all users in the hydra-admin group Hydra admins # IMPORTANT: if new groups are used, they need to be added to the role_filter above hydra-admins = admin # Allow all users in the dev group to restart jobs and cancel builds #dev = restart-jobs #dev = cancel-build ''; }; # A rust nix binary cache harmonia = { enable = true; settings = { bind = "[::]:${toString cachePort}"; workers = 20; max_connection_rate = 1024; priority = 50; sign_key_path = config.sops.secrets."nix-serve/secretKey".path; }; }; nginx = let hydraVhost = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}"; }; in { enable = true; virtualHosts = { "hydra.hq.c3d2.de" = hydraVhost // { default = true; }; # "hydra-ca.hq.c3d2.de" = hydraVhost // { # locations."/".proxyPass = "http://192.168.100.2:3001"; # }; "hydra.serv.zentralwerk.org" = hydraVhost; "nix-serve.hq.c3d2.de" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${toString cachePort}"; }; }; }; portunus.addToHosts = true; resolved.enable = false; smartd.enable = true; zfs.trim.enable = true; }; sops = { defaultSopsFile = ./secrets.yaml; secrets."ldap/search-user-pw" = { mode = "440"; owner = config.users.users.hydra-queue-runner.name; inherit (config.users.users.hydra-queue-runner) group; path = "/var/lib/hydra/ldap-password.conf"; }; secrets."machine-id" = { mode = "444"; path = "/etc/machine-id"; }; secrets."nix-serve/secretKey" = { mode = "440"; owner = config.users.users.hydra-queue-runner.name; inherit (config.users.users.hydra-queue-runner) group; }; }; system.stateVersion = "20.09"; systemd.services = { hydra-evaluator.serviceConfig = { CPUWeight = 2; MemoryHigh = "64G"; MemoryMax = "64G"; MemorySwapMax = "64G"; }; hydra-init.preStart = let makesSenseForQemuUser = feature: ! (builtins.elem feature [ "kvm" "benchmark" ]); # strips features that don't make sense on qemu-user extraPlatformSystemFeatures = builtins.filter makesSenseForQemuUser config.nix.settings.system-features; in # both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches '' cat << EOF > ~/machines localhost x86_64-linux - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," config.nix.settings.system-features} - hydra@localhost ${lib.concatStringsSep "," config.nix.settings.extra-platforms} - ${toString config.nix.settings.max-jobs} 10 ${lib.concatStringsSep "," extraPlatformSystemFeatures} - EOF ''; nix-daemon.serviceConfig = { CPUWeight = 5; MemoryHigh = "64G"; MemoryMax = "64G"; MemorySwapMax = "64G"; }; }; # allow reading nix-serve secret users.users.harmonia.extraGroups = [ "hydra" ]; }