From f6c1177c38e038206c043338a9b78477b03e54a0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 5 Jun 2023 19:46:42 +0200 Subject: [PATCH 01/45] infra: init vieuxtype.infra.newtype.fr --- configurations.nix | 26 +++++++++++- docs/vieuxtype.lstopo.svg | 63 +++++++++++++++++++++++++++++ docs/vieuxtype.md | 83 +++++++++++++++++++++++++++++++++++++++ hosts/vieuxtype.nix | 28 +++++++++++++ modules/gitea.nix | 34 ++++++++++++++++ modules/hardware/vm.nix | 14 +++++++ modules/hosts.nix | 5 ++- modules/nix-daemon.nix | 12 +++++- modules/packages.nix | 20 ++++++++++ modules/tailscale.nix | 5 +++ modules/users/admins.nix | 5 --- modules/users/yvan.nix | 17 ++++++++ modules/zsh.nix | 9 +++++ 13 files changed, 312 insertions(+), 9 deletions(-) create mode 100644 docs/vieuxtype.lstopo.svg create mode 100644 docs/vieuxtype.md create mode 100644 hosts/vieuxtype.nix create mode 100644 modules/gitea.nix create mode 100644 modules/hardware/vm.nix create mode 100644 modules/tailscale.nix create mode 100644 modules/users/yvan.nix diff --git a/configurations.nix b/configurations.nix index caaed52..05ccb4f 100644 --- a/configurations.nix +++ b/configurations.nix @@ -40,7 +40,8 @@ let srvos.nixosModules.server # srvos.nixosModules.mixins-telegraf - # srvos.nixosModules.mixins-terminfo + srvos.nixosModules.mixins-trusted-nix-caches + srvos.nixosModules.mixins-terminfo agenix.nixosModules.default ({ pkgs @@ -55,6 +56,11 @@ let "nixpkgs=${pkgs.path}" "nur=${nur}" ]; + + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; @@ -88,7 +94,16 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = nixosSystem { + system = "x86_64-linux"; + modules = + commonModules + ++ colmenaModules + ++ [ + ./hosts/vieuxtype.nix + ]; }; + }; flake.colmena = { meta.nixpkgs = import nixpkgs { @@ -101,5 +116,14 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = { + system = "x86_64-linux"; + modules = + commonModules + ++ [ + ./hosts/vieuxtype.nix + ]; + }; + }; } diff --git a/docs/vieuxtype.lstopo.svg b/docs/vieuxtype.lstopo.svg new file mode 100644 index 0000000..da866d3 --- /dev/null +++ b/docs/vieuxtype.lstopo.svg @@ -0,0 +1,63 @@ + + + + Machine (5936MB total) + + Package L#0 + + L3 (16MB) + + L2 (4096KB) + + L1d (32KB) + + L1i (32KB) + + Core L#0 + + PU L#0 + P#0 + + NUMANode L#0 P#0 (5936MB) + + + + + + + + + + + + PCI 00:01.1 + + Block sr0 + 541 MB + + PCI 00:02.0 + + PCI 00:03.0 + + PCI 00:05.0 + + Block sda + 40 GB + + PCI 00:12.0 + + Net ens18 + + PCI 00:13.0 + + Net ens19 + + PCI 00:14.0 + + Net ens20 + + MemoryModule + + Host: vieuxtype + Date: Mon 05 Jun 2023 08:15:31 PM CEST + diff --git a/docs/vieuxtype.md b/docs/vieuxtype.md new file mode 100644 index 0000000..ca86ff2 --- /dev/null +++ b/docs/vieuxtype.md @@ -0,0 +1,83 @@ +# vieuxtype + +``` +System: Host: vieuxtype Kernel: 6.1.31 x86_64 bits: 64 compiler: gcc v: 12.2.0 + parameters: initrd=\efi\nixos\mf13ryz0gl48s8672gzg80lvq9yd8189-initrd-linux-6.1.31-initrd.efi + init=/nix/store/5c8yhqcmf24d61m99cpqc3ffjma90cxs-nixos-system-vieuxtype-23.05.553.e7603eba51f/init + console=ttyS0,115200 panic=30 boot.panic_on_fail loglevel=4 + Console: N/A Distro: NixOS 23.05 (Stoat) +Machine: Type: Kvm System: QEMU product: Standard PC (i440FX + PIIX, 1996) v: pc-i440fx-7.2 + serial: N/A Chassis: type: 1 v: pc-i440fx-7.2 serial: N/A + Mobo: N/A model: N/A serial: N/A UEFI: EFI Development Kit II / OVMF v: 3.20230228-2 + date: 04/04/2023 +Memory: RAM: total: 5.8 GiB used: 820.6 MiB (13.8%) + Array-1: capacity: 6 GiB slots: 1 EC: Multi-bit ECC max-module-size: 6 GiB note: est. + Device-1: DIMM 0 size: 6 GiB speed: N/A type: RAM detail: other bus-width: Unknown + total: Unknown manufacturer: QEMU part-no: Not Specified serial: Not Specified +PCI Slots: Message: No PCI Slot data found. +CPU: Info: Single Core model: Common KVM bits: 64 type: MCP arch: Netburst Presler + family: F (15) model-id: 6 stepping: 1 microcode: 1 cache: L2: 16 MiB + flags: lm nx pae sse sse2 sse3 bogomips: 5199 + Speed: 2600 MHz min/max: N/A base/boost: 2000/2000 Core speed (MHz): 1: 2600 + Vulnerabilities: Type: itlb_multihit status: KVM: VMX unsupported + Type: l1tf mitigation: PTE Inversion + Type: mds + status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown + Type: meltdown mitigation: PTI + Type: mmio_stale_data status: Unknown: No mitigations + Type: retbleed status: Not affected + Type: spec_store_bypass status: Vulnerable + Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization + Type: spectre_v2 + mitigation: Retpolines, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected + Type: srbds status: Not affected + Type: tsx_async_abort status: Not affected +Graphics: Device-1: vendor: Red Hat driver: bochs-drm v: N/A alternate: bochs bus-ID: 00:02.0 + chip-ID: 1234:1111 class-ID: 0300 + Display: server: No display server data found. Headless machine? tty: N/A + Message: Advanced graphics data unavailable in console for root. +Audio: Message: No device data found. +Network: Device-1: Intel 82371AB/EB/MB PIIX4 ACPI vendor: Red Hat Qemu virtual machine + type: network bridge driver: piix4_smbus v: N/A modules: i2c_piix4 port: 10c0 + bus-ID: 00:01.3 chip-ID: 8086:7113 class-ID: 0680 + Device-2: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 10e0 + bus-ID: 00:12.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens18 state: up speed: -1 duplex: unknown mac: da:3e:b0:11:ae:0a + IP v4: 169.254.129.42/16 type: noprefixroute scope: global broadcast: 169.254.255.255 + IP v6: 2a01:e0a:5f9:9681:33ba:55f5:6e55:beef/64 type: temporary dynamic scope: global + IP v6: 2a01:e0a:5f9:9681:d83e:b0ff:fe11:ae0a/64 type: dynamic mngtmpaddr scope: global + IP v6: 2a01:e0a:5f9:9681:a498:fffb:e48d:299/64 scope: global + IP v6: fe80::d83e:b0ff:fe11:ae0a/64 scope: link + Device-3: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1400 + bus-ID: 00:13.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens19 state: up speed: -1 duplex: unknown mac: 72:38:5f:a6:82:5a + IP v4: 10.32.64.196/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::7038:5fff:fea6:825a/64 scope: link + Device-4: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1420 + bus-ID: 00:14.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens20 state: up speed: -1 duplex: unknown mac: 8e:38:09:a2:8c:9e + IP v4: 10.32.64.224/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::8c38:9ff:fea2:8c9e/64 scope: link + IF-ID-1: tailscale0 state: unknown speed: -1 duplex: full mac: N/A + IP v6: fe80::7d4f:3369:71cc:66d5/64 virtual: stable-privacy scope: link + WAN IP: 82.65.118.1 +Drives: Local Storage: total: 40 GiB used: 10.33 GiB (25.8%) + ID-1: /dev/sda maj-min: 8:0 vendor: QEMU model: HARDDISK size: 40 GiB block-size: + physical: 512 B logical: 512 B speed: serial: drive-scsi0 rev: 2.5+ + scheme: GPT + SMART: no +Partition: ID-1: / raw-size: 11.5 GiB size: 11.22 GiB (97.55%) used: 10.27 GiB (91.6%) fs: ext4 + block-size: 4096 B dev: /dev/sda1 maj-min: 8:1 + ID-2: /boot raw-size: 511 MiB size: 510 MiB (99.80%) used: 54.9 MiB (10.8%) fs: vfat + block-size: 512 B dev: /dev/sda3 maj-min: 8:3 +Swap: Kernel: swappiness: 60 (default) cache-pressure: 100 (default) + ID-1: swap-1 type: partition size: 8 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda2 + maj-min: 8:2 +Sensors: Message: No sensor data found. Is lm-sensors configured? +Info: Processes: 107 Uptime: N/A wakeups: 1 Init: systemd v: 253 target: multi-user.target + tool: systemctl Compilers: gcc: 12.2.0 Packages: 899 nix-default: 9 nix-sys: 881 + lib: 155 nix-usr: 9 lib: 3 Client: Sudo v: 1.9.13p3 inxi: 3.3.04 +``` +![hardware topology](vieuxtype.lstopo.svg) diff --git a/hosts/vieuxtype.nix b/hosts/vieuxtype.nix new file mode 100644 index 0000000..41bd6e5 --- /dev/null +++ b/hosts/vieuxtype.nix @@ -0,0 +1,28 @@ +{ + imports = [ + ../modules/hardware/vm.nix + ../modules/gitea.nix + ../modules/tailscale.nix + ../modules/users/yvan.nix + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/fe1d2e0d-9210-4a2d-b584-d1e131747ea3"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8782-7801"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/c9511ddb-e41f-436c-ad1f-9b587ed0ba11"; }]; + + networking.hostName = "vieuxtype"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # simd.arch = "znver3"; + system.stateVersion = "23.05"; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..1fd9dc7 --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,34 @@ +{ ... }: { + services.gitea = { + enable = true; + appName = "Newtype's Git"; + mailerPasswordFile = "/var/lib/secrets/gitea/mailpw"; + settings = { + server = { + ROOT_URL = "https://git.newtype.fr"; + DOMAIN = "git.newtype.fr"; + }; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + HOST = "mail.gandi.net:465"; + USER = "git@newtype.fr"; + FROM = "Newtype's Git "; + IS_TLS_ENABLED = true; + }; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."git.newtype.fr" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; + }; + }; + + security.acme.certs = { "git.newtype.fr".email = "contact@newtype.fr"; }; + security.acme.acceptTerms = true; +} diff --git a/modules/hardware/vm.nix b/modules/hardware/vm.nix new file mode 100644 index 0000000..9d457ec --- /dev/null +++ b/modules/hardware/vm.nix @@ -0,0 +1,14 @@ +{ lib, modulesPath, ... }: { + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + services.qemuGuest.enable = true; + + # VMs are noisy for this type of thing usually. + nix.settings.max-jobs = lib.mkDefault 1; +} diff --git a/modules/hosts.nix b/modules/hosts.nix index 9a5bc26..794b6d8 100644 --- a/modules/hosts.nix +++ b/modules/hosts.nix @@ -37,11 +37,14 @@ in ) "Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}"; - # usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain + # usually, for each host there is a hostname.infra.newtype.fr networking.newtype.hosts = { epyc = { ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8"; }; + vieuxtype = { + ipv6 = "2a01:e0a:5f9:9681:a498:fffb:e48d:299"; + }; }; }; } diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ffda29f..b45d3a8 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -24,11 +24,19 @@ in config = { warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + # Allow more open files for non-root users to run NixOS VM tests. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; nix = { + # Garbage-collect often gc.automatic = true; - gc.dates = "03:15"; - gc.options = "--delete-older-than 30d"; + gc.dates = "*:45"; + gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + # Randomize GC to avoid thundering herd effects. + gc.randomizedDelaySec = "1800"; # 2.11, 2.12 suffers from a bug with remote builders… package = pkgs.nixVersions.nix_2_13; diff --git a/modules/packages.nix b/modules/packages.nix index c396d63..1086d5f 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -1,4 +1,7 @@ { pkgs, ... }: { + # documentation.dev.enable = true; + # environment.extraOutputsToInstall = [ "info" "man" "devman" ]; + # this extends the list from: # https://github.com/numtide/srvos/blob/master/server.nix#L10 environment.systemPackages = with pkgs; [ @@ -34,6 +37,23 @@ usbutils ipmitool + + (neovim.override { + viAlias = true; + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = [ ]; + }; + }; + }) + # tries to default to soft-float due to out-dated cc-rs ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; + + programs.vim.defaultEditor = true; + environment.variables = { EDITOR = "nvim"; }; + programs.mosh.enable = true; + programs.tmux.enable = true; } diff --git a/modules/tailscale.nix b/modules/tailscale.nix new file mode 100644 index 0000000..14ffc74 --- /dev/null +++ b/modules/tailscale.nix @@ -0,0 +1,5 @@ +{ config, ... }: { + services.tailscale.enable = true; + networking.firewall.checkReversePath = "loose"; + networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ]; +} diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 2101ef7..f7c44d1 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -13,7 +13,6 @@ in isNormalUser = true; home = "/home/raito"; inherit extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1000; openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ]; }; @@ -23,7 +22,6 @@ in isNormalUser = true; home = "/home/luj"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1001; openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; }; @@ -33,7 +31,6 @@ in isNormalUser = true; home = "/home/gdd"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1002; openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ]; }; @@ -43,7 +40,6 @@ in isNormalUser = true; home = "/home/akechi"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1003; openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ]; }; @@ -53,7 +49,6 @@ in isNormalUser = true; home = "/home/tomate"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1004; openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ]; }; diff --git a/modules/users/yvan.nix b/modules/users/yvan.nix new file mode 100644 index 0000000..e9f11a9 --- /dev/null +++ b/modules/users/yvan.nix @@ -0,0 +1,17 @@ +{ ... }: { + users.users.yvan = { + isNormalUser = true; + home = "/home/yvan"; + description = "Yvan's account"; + extraGroups = [ "wheel" "www-data" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdMWQ1D9VJNrIzvgU8QMQwhy7Q/OFI9JNLpo/Kr0uXCeZBtSn9eMzZa88Q8gDaHnlc/BlTnlSomWP/S9u8+j21d+rXgDyPgJUqMjGBxFo4lZue3DlACXKQcwWXiNlGQKFPzSNBN62N3cRwm1R7Won9xVwedS4UnxsXbOGHkBnajQx40Ej3WRVBVbSjKKGaZKKCNO5hfistRP7RtqhwxYK7D/CyOfwnIUuBAnC3QYDYDph7SD2E5OX3rKwPDPnei0zaIMMXyFrMtv/czYOsisOud2H/VX0vipQh59qji/ZNSE31LemF4VcvC1307JX3uEwSfVWiBsWGPGfc/epQ4ixl yvan@X230" # Yvan's X230 + ]; + }; + + services.mastodon = { + enable = true; + smtp = { host = "mail.gandi.net"; fromAddress = "yvan@sraka.xyz"; }; + localDomain = "sraka.xyz"; + }; +} diff --git a/modules/zsh.nix b/modules/zsh.nix index bba3962..df628fb 100644 --- a/modules/zsh.nix +++ b/modules/zsh.nix @@ -5,4 +5,13 @@ programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh ''; + + programs.zsh = { + autosuggestions.enable = true; + promptInit = '' + source ${pkgs.grml-zsh-config}/etc/zsh/zshrc + ''; + }; + + users.defaultUserShell = pkgs.zsh; } From df0771e3461594f6fa97bab8077923934b5aeee6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 8 Jun 2023 17:43:37 +0200 Subject: [PATCH 02/45] infra(epyc): add my key on builder and iperf3 server --- hosts/epyc.nix | 1 + modules/builder.nix | 1 + modules/iperf-server.nix | 6 ++++++ 3 files changed, 8 insertions(+) create mode 100644 modules/iperf-server.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 029b051..efbf696 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -2,6 +2,7 @@ imports = [ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix + ../modules/iperf-server.nix ]; networking.hostName = "epyc"; diff --git a/modules/builder.nix b/modules/builder.nix index 89833b5..5dc80c8 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -4,6 +4,7 @@ home = "/home/nix"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" ]; uid = 5001; }; diff --git a/modules/iperf-server.nix b/modules/iperf-server.nix new file mode 100644 index 0000000..2b2a4b5 --- /dev/null +++ b/modules/iperf-server.nix @@ -0,0 +1,6 @@ +{ ... }: { + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From 696929edb4f24808bd14b93e143663f119788f15 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 8 Jun 2023 17:43:37 +0200 Subject: [PATCH 03/45] infra(epyc): add my key on builder and iperf3 server --- hosts/epyc.nix | 1 + modules/builder.nix | 1 + modules/iperf-server.nix | 6 ++++++ 3 files changed, 8 insertions(+) create mode 100644 modules/iperf-server.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 029b051..efbf696 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -2,6 +2,7 @@ imports = [ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix + ../modules/iperf-server.nix ]; networking.hostName = "epyc"; diff --git a/modules/builder.nix b/modules/builder.nix index 89833b5..5dc80c8 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -4,6 +4,7 @@ home = "/home/nix"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" ]; uid = 5001; }; diff --git a/modules/iperf-server.nix b/modules/iperf-server.nix new file mode 100644 index 0000000..2b2a4b5 --- /dev/null +++ b/modules/iperf-server.nix @@ -0,0 +1,6 @@ +{ ... }: { + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From 379d7644903353ed231f9b33c03d76ec600eeb69 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 28 Jun 2023 14:13:28 +0200 Subject: [PATCH 04/45] infra(epyc): Add an ssh key for tomate --- modules/users/keys/tomate.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/tomate.keys b/modules/users/keys/tomate.keys index c5428d0..4dffc5d 100644 --- a/modules/users/keys/tomate.keys +++ b/modules/users/keys/tomate.keys @@ -1 +1,2 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn thubrecht@dell-xps From 820adcfa3117a5c40e8cd09558440beef6394485 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 28 Jun 2023 14:13:55 +0200 Subject: [PATCH 05/45] misc: Add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92b2793 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.direnv From 02fa2102d616a857a0758e4823c899d4e9d8d46b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:00 +0200 Subject: [PATCH 06/45] configurations: add trusted cache, terminfo and kitty's terminfo --- configurations.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configurations.nix b/configurations.nix index caaed52..6c2e8c5 100644 --- a/configurations.nix +++ b/configurations.nix @@ -39,6 +39,9 @@ let disko.nixosModules.disko srvos.nixosModules.server + srvos.nixosModules.mixins-trusted-nix-caches + srvos.nixosModules.mixins-terminfo + # srvos.nixosModules.mixins-telegraf # srvos.nixosModules.mixins-terminfo @@ -74,6 +77,10 @@ let nur.flake = nur; }; time.timeZone = "UTC"; + + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; }) ]; in From 7fd10c28cb107e70ce3dd34773115d34fb4d2361 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:07 +0200 Subject: [PATCH 07/45] zsh: use grml configuration by default --- modules/zsh.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/zsh.nix b/modules/zsh.nix index bba3962..8a7fae2 100644 --- a/modules/zsh.nix +++ b/modules/zsh.nix @@ -4,5 +4,13 @@ programs.zsh.enableGlobalCompInit = false; programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh - ''; + ''; + programs.zsh = { + autosuggestions.enable = true; + promptInit = '' + source ${pkgs.grml-zsh-config}/etc/zsh/zshrc + ''; + }; + + users.defaultUserShell = pkgs.zsh; } From 5e9b7b77327fc1af9969da8d09ff1027fac9608c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:27 +0200 Subject: [PATCH 08/45] nix-daemon: improve open files for NixOS VM tests and thundering effects for GC --- modules/nix-daemon.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ffda29f..b45d3a8 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -24,11 +24,19 @@ in config = { warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + # Allow more open files for non-root users to run NixOS VM tests. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; nix = { + # Garbage-collect often gc.automatic = true; - gc.dates = "03:15"; - gc.options = "--delete-older-than 30d"; + gc.dates = "*:45"; + gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + # Randomize GC to avoid thundering herd effects. + gc.randomizedDelaySec = "1800"; # 2.11, 2.12 suffers from a bug with remote builders… package = pkgs.nixVersions.nix_2_13; From c898d56781492e7380b72c1a681fe3afe283ffde Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 1 Jul 2023 16:44:29 +0200 Subject: [PATCH 09/45] added luj's remote builders --- modules/ssh-cursed.nix | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 modules/ssh-cursed.nix diff --git a/modules/ssh-cursed.nix b/modules/ssh-cursed.nix new file mode 100644 index 0000000..deb956d --- /dev/null +++ b/modules/ssh-cursed.nix @@ -0,0 +1,36 @@ +{ + programs.ssh.extraConfig = '' + Host telecom-bastion + HostName ssh.enst.fr + User jmalka + IdentityFile /home/luj/.ssh/id_ed25519 + + Host lame11 + Hostname lame11.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame10 + Hostname lame10.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame12 + Hostname lame12.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame16 + Hostname lame16.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame17 + Hostname lame17.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + + ''; + +} From 147ca052d4651d9ca16fe3bf18b6b911d68b85ef Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 1 Jul 2023 16:46:53 +0200 Subject: [PATCH 10/45] import ssh-cursed module --- configurations.nix | 64 ++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/configurations.nix b/configurations.nix index 6c2e8c5..8441d78 100644 --- a/configurations.nix +++ b/configurations.nix @@ -34,6 +34,7 @@ let ./modules/hosts.nix ./modules/network.nix ./modules/zsh.nix + ./modules/ssh-cursed.nix disko.nixosModules.disko @@ -50,38 +51,41 @@ let , config , lib , ... - }: let - sopsFile = ./. + "/hosts/${config.networking.hostName}.yml"; - in { - nix.nixPath = [ - "home-manager=${home-manager}" - "nixpkgs=${pkgs.path}" - "nur=${nur}" - ]; - # TODO: share nixpkgs for each machine to speed up local evaluation. - #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; + }: + let + sopsFile = ./. + "/hosts/${config.networking.hostName}.yml"; + in + { + nix.nixPath = [ + "home-manager=${home-manager}" + "nixpkgs=${pkgs.path}" + "nur=${nur}" + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. + #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; - #users.withSops = builtins.pathExists sopsFile; - #sops.secrets = lib.mkIf (config.users.withSops) { - # root-password-hash.neededForUsers = true; - #}; - # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile; + #users.withSops = builtins.pathExists sopsFile; + #sops.secrets = lib.mkIf (config.users.withSops) { + # root-password-hash.neededForUsers = true; + #}; + # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile; - nix.extraOptions = '' - flake-registry = ${flake-registry}/flake-registry.json - ''; + nix.extraOptions = '' + flake-registry = ${flake-registry}/flake-registry.json + builders-use-substitutes = true + ''; - nix.registry = { - home-manager.flake = home-manager; - nixpkgs.flake = nixpkgs; - nur.flake = nur; - }; - time.timeZone = "UTC"; + nix.registry = { + home-manager.flake = home-manager; + nixpkgs.flake = nixpkgs; + nur.flake = nur; + }; + time.timeZone = "UTC"; - environment.systemPackages = [ - pkgs.kitty.terminfo - ]; - }) + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; + }) ]; in { @@ -94,8 +98,8 @@ in ++ [ ./hosts/epyc.nix ]; - }; }; + }; flake.colmena = { meta.nixpkgs = import nixpkgs { @@ -107,6 +111,6 @@ in ++ [ ./hosts/epyc.nix ]; - }; + }; }; } From e3f59ee35f8f3debcddcc2c99ec5d24cfe94ad5c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 17:43:48 +0200 Subject: [PATCH 11/45] flake: add nixos-hypervisor input Private repository for now. --- flake.lock | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++--- flake.nix | 7 +++++- 2 files changed, 76 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 1e7db14..7e4330f 100644 --- a/flake.lock +++ b/flake.lock @@ -123,6 +123,27 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixos-hypervisor", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -182,16 +203,16 @@ ] }, "locked": { - "lastModified": 1667907331, - "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "rycee", "repo": "home-manager", - "rev": "6639e3a837fc5deb6f99554072789724997bc8e5", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "rycee", - "ref": "release-22.05", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } @@ -211,6 +232,29 @@ "type": "github" } }, + "nixos-hypervisor": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1688312018, + "narHash": "sha256-HU6yQuvGyA9ZPik6VQ1RaIyRfPksDCDVVnUXVfpenzo=", + "ref": "main", + "rev": "1b532cd9302454fb65027ca9a190c875195fb01c", + "revCount": 2, + "type": "git", + "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" + }, + "original": { + "ref": "main", + "type": "git", + "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" + } + }, "nixpkgs": { "locked": { "lastModified": 1685952468, @@ -267,6 +311,7 @@ "flake-registry": "flake-registry", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", + "nixos-hypervisor": "nixos-hypervisor", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", @@ -308,6 +353,27 @@ "repo": "nixpkgs", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-hypervisor", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688026376, + "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 13302ee..61ef327 100644 --- a/flake.nix +++ b/flake.nix @@ -23,7 +23,7 @@ nixos-hardware.url = "github:NixOS/nixos-hardware"; nur.url = "github:nix-community/NUR"; - home-manager.url = "github:rycee/home-manager/release-22.05"; + home-manager.url = "github:rycee/home-manager/release-23.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; @@ -36,6 +36,11 @@ # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant srvos.inputs.nixpkgs.follows = "nixpkgs"; + # Ryan's experimental hypervisor based on cloud-hypervisor + # Private repository, you need a valid SSH key to access it + nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main"; + nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs"; + flake-registry.url = "github:NixOS/flake-registry"; flake-registry.flake = false; }; From 444a655fec714cf9bbc449103d81533e8e27574f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 17:46:01 +0200 Subject: [PATCH 12/45] infra: enable experimental hypervisor on EPYC machine --- configurations.nix | 3 +++ hosts/epyc.nix | 1 + modules/hypervisor.nix | 5 +++++ 3 files changed, 9 insertions(+) create mode 100644 modules/hypervisor.nix diff --git a/configurations.nix b/configurations.nix index 8441d78..f8b50ba 100644 --- a/configurations.nix +++ b/configurations.nix @@ -8,6 +8,7 @@ let nur colmena flake-registry + nixos-hypervisor nixos-hardware nixpkgs-unstable srvos @@ -43,6 +44,8 @@ let srvos.nixosModules.mixins-trusted-nix-caches srvos.nixosModules.mixins-terminfo + nixos-hypervisor.nixosModules.host + # srvos.nixosModules.mixins-telegraf # srvos.nixosModules.mixins-terminfo diff --git a/hosts/epyc.nix b/hosts/epyc.nix index efbf696..c7eb7a6 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -3,6 +3,7 @@ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix ../modules/iperf-server.nix + ../modules/hypervisor.nix ]; networking.hostName = "epyc"; diff --git a/modules/hypervisor.nix b/modules/hypervisor.nix new file mode 100644 index 0000000..2b11b5c --- /dev/null +++ b/modules/hypervisor.nix @@ -0,0 +1,5 @@ +{ ... }: { + virtualisation.nvisor = { + enable = true; + }; +} From 8d187d1ef03929e79cef13e19262d7655ab1db6e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 19:45:17 +0200 Subject: [PATCH 13/45] infra: boot a simple VM --- configurations.nix | 3 +++ flake.lock | 8 ++++---- hosts/epyc.nix | 8 ++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/configurations.nix b/configurations.nix index f8b50ba..550d0fd 100644 --- a/configurations.nix +++ b/configurations.nix @@ -107,6 +107,9 @@ in flake.colmena = { meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; + overlays = [ + nixos-hypervisor.overlays.default + ]; }; epyc = { imports = diff --git a/flake.lock b/flake.lock index 7e4330f..6a47414 100644 --- a/flake.lock +++ b/flake.lock @@ -241,11 +241,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1688312018, - "narHash": "sha256-HU6yQuvGyA9ZPik6VQ1RaIyRfPksDCDVVnUXVfpenzo=", + "lastModified": 1688319245, + "narHash": "sha256-+fXRVu4TDH8mxmZpSByJZCprKfHduFTLOb7sTm4w0RQ=", "ref": "main", - "rev": "1b532cd9302454fb65027ca9a190c875195fb01c", - "revCount": 2, + "rev": "89b36124b161492f140185815ec5b76a0b29dba7", + "revCount": 5, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" }, diff --git a/hosts/epyc.nix b/hosts/epyc.nix index c7eb7a6..805fa33 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,14 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + virtualisation.nvisor.vms = { + vm01 = { + config = { pkgs, ... }: { + environment.systemPackages = [ pkgs.hello ]; + }; + }; + }; + simd.arch = "znver3"; system.stateVersion = "23.05"; } From c208537f4954b4a330b149d264e9e15b1821610c Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sun, 23 Jul 2023 13:44:48 +0200 Subject: [PATCH 14/45] Updated hypervisor input --- flake.lock | 5 +-- flake.nix | 31 ++++++++----------- modules/buildbot/default.nix | 57 ++++++++++++++++++++++++++++++++++ modules/buildbot/worker.py | 59 ++++++++++++++++++++++++++++++++++++ 4 files changed, 131 insertions(+), 21 deletions(-) create mode 100644 modules/buildbot/default.nix create mode 100644 modules/buildbot/worker.py diff --git a/flake.lock b/flake.lock index 6a47414..ccc75ee 100644 --- a/flake.lock +++ b/flake.lock @@ -242,9 +242,9 @@ }, "locked": { "lastModified": 1688319245, - "narHash": "sha256-+fXRVu4TDH8mxmZpSByJZCprKfHduFTLOb7sTm4w0RQ=", + "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=", "ref": "main", - "rev": "89b36124b161492f140185815ec5b76a0b29dba7", + "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc", "revCount": 5, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" @@ -379,3 +379,4 @@ "root": "root", "version": 7 } + diff --git a/flake.nix b/flake.nix index 61ef327..a906796 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,6 @@ { description = "NixOS configuration with flakes"; - nixConfig.extra-substituters = [ - "https://newtype.cachix.org" - ]; - nixConfig.extra-trusted-public-keys = [ - "newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0=" - ]; - # To update all inputs: # $ nix flake update --recreate-lock-file inputs = { @@ -88,19 +81,19 @@ ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd; }; packages = { - # netboot = pkgs.callPackage ./modules/netboot/netboot.nix { - # # this nixosSystem is built for x86_64 machines regardless of the host machine - # pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - # inherit (inputs.nixpkgs.lib) nixosSystem; - # extraModules = [ - # self.inputs.nur.nixosModules.nur - # { _module.args.inputs = self.inputs; } - # ]; - # }; + # netboot = pkgs.callPackage ./modules/netboot/netboot.nix { + # # this nixosSystem is built for x86_64 machines regardless of the host machine + # pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + # inherit (inputs.nixpkgs.lib) nixosSystem; + # extraModules = [ + # self.inputs.nur.nixosModules.nur + # { _module.args.inputs = self.inputs; } + # ]; + # }; - # netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix { - # inherit (self'.packages) netboot; - # }; + # netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix { + # inherit (self'.packages) netboot; + # }; }; }; flake = { diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix new file mode 100644 index 0000000..5b0caa5 --- /dev/null +++ b/modules/buildbot/default.nix @@ -0,0 +1,57 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.luj.buildbot; + port = "1810"; + package = pkgs.buildbot-worker; + python = package.pythonModule; + home = "/var/lib/buildbot-worker"; + buildbotDir = "${home}/worker"; +in +{ + #buildbot worker + + nix.settings.allowed-users = [ "buildbot-worker" ]; + users.users.buildbot-worker = { + description = "Buildbot Worker User."; + isSystemUser = true; + createHome = true; + home = "/var/lib/buildbot-worker"; + group = "buildbot-worker"; + useDefaultShell = true; + }; + users.groups.buildbot-worker = { }; + + systemd.services.buildbot-worker = { + reloadIfChanged = true; + description = "Buildbot Worker."; + after = [ "network.target" "buildbot-master.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.unstable.nix-eval-jobs + pkgs.git + pkgs.gh + pkgs.nix + pkgs.nix-output-monitor + ]; + environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; + environment.MASTER_URL = ''tcp:host=ci.julienmalka.me''; + environment.BUILDBOT_DIR = buildbotDir; + environment.WORKER_PASSWORD_FILE = "/var/lib/buildbot-worker/password.txt"; + + serviceConfig = { + Type = "simple"; + User = "buildbot-worker"; + Group = "buildbot-worker"; + WorkingDirectory = home; + + # Restart buildbot with a delay. This time way we can use buildbot to deploy itself. + ExecReload = "+${pkgs.systemd}/bin/systemd-run --on-active=60 ${pkgs.systemd}/bin/systemctl restart buildbot-worker"; + ExecStart = "${python.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${./worker.py}"; + }; + }; + +} + + + diff --git a/modules/buildbot/worker.py b/modules/buildbot/worker.py new file mode 100644 index 0000000..a640eff --- /dev/null +++ b/modules/buildbot/worker.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 + +import multiprocessing +import os +import socket +from io import open + +from buildbot_worker.bot import Worker +from twisted.application import service + + +def require_env(key: str) -> str: + val = os.environ.get(key) + assert val is not None, "val is not set" + return val + + +def setup_worker(application: service.Application, id: int) -> None: + basedir = f"{require_env('BUILDBOT_DIR')}-{id}" + os.makedirs(basedir, mode=0o700, exist_ok=True) + + master_url = require_env("MASTER_URL") + hostname = socket.gethostname() + workername = f"{hostname}-{id}" + + with open( + require_env("WORKER_PASSWORD_FILE"), "r", encoding="utf-8" + ) as passwd_file: + passwd = passwd_file.read().strip("\r\n") + keepalive = 600 + umask = None + maxdelay = 300 + numcpus = None + allow_shutdown = None + + s = Worker( + None, + None, + workername, + passwd, + basedir, + keepalive, + connection_string=master_url, + umask=umask, + maxdelay=maxdelay, + numcpus=numcpus, + allow_shutdown=allow_shutdown, + ) + s.setServiceParent(application) + + +# note: this line is matched against to check that this is a worker +# directory; do not edit it. +application = service.Application("buildbot-worker") + +for i in range(14): + setup_worker(application, i) + + From ebea10d242383fbb5d0c5f904e64f9358635213d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Tue, 1 Aug 2023 16:48:49 +0200 Subject: [PATCH 15/45] added buildbot workers --- configurations.nix | 1 + hosts/epyc.nix | 2 ++ modules/buildbot/default.nix | 4 ++-- modules/buildbot/worker.py | 5 ++--- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/configurations.nix b/configurations.nix index 550d0fd..f14c0a0 100644 --- a/configurations.nix +++ b/configurations.nix @@ -36,6 +36,7 @@ let ./modules/network.nix ./modules/zsh.nix ./modules/ssh-cursed.nix + ./modules/buildbot disko.nixosModules.disko diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 805fa33..b41c69a 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -18,6 +18,8 @@ }; }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ]; + simd.arch = "znver3"; system.stateVersion = "23.05"; } diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index 5b0caa5..3691eab 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -28,14 +28,14 @@ in after = [ "network.target" "buildbot-master.service" ]; wantedBy = [ "multi-user.target" ]; path = [ - pkgs.unstable.nix-eval-jobs + pkgs.nix-eval-jobs pkgs.git pkgs.gh pkgs.nix pkgs.nix-output-monitor ]; environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; - environment.MASTER_URL = ''tcp:host=ci.julienmalka.me''; + environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989''; environment.BUILDBOT_DIR = buildbotDir; environment.WORKER_PASSWORD_FILE = "/var/lib/buildbot-worker/password.txt"; diff --git a/modules/buildbot/worker.py b/modules/buildbot/worker.py index a640eff..198dfae 100644 --- a/modules/buildbot/worker.py +++ b/modules/buildbot/worker.py @@ -34,13 +34,12 @@ def setup_worker(application: service.Application, id: int) -> None: allow_shutdown = None s = Worker( - None, - None, + "2a01:e34:ec2a:8e60:8ec7:b5d2:f663:a67a", + 9989, workername, passwd, basedir, keepalive, - connection_string=master_url, umask=umask, maxdelay=maxdelay, numcpus=numcpus, From 81cf3e076932e6430e9ada6f94b9cf07634a603a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 1 Aug 2023 17:00:14 +0200 Subject: [PATCH 16/45] epyc: add riscv64-linux emulation support --- hosts/epyc.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index b41c69a..fda7667 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -4,6 +4,7 @@ ../modules/hardware/supermicro-H12SSL-i.nix ../modules/iperf-server.nix ../modules/hypervisor.nix + ../modules/hydra/coordinator.nix ]; networking.hostName = "epyc"; @@ -18,7 +19,7 @@ }; }; - boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ]; + boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ]; simd.arch = "znver3"; system.stateVersion = "23.05"; From 567b99aa57d4dbf0967dabb6162e37cf46e8db9d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 1 Aug 2023 17:04:03 +0200 Subject: [PATCH 17/45] epyc: add hydra.newtype.fr --- modules/hydra/coordinator.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 modules/hydra/coordinator.nix diff --git a/modules/hydra/coordinator.nix b/modules/hydra/coordinator.nix new file mode 100644 index 0000000..77c1ceb --- /dev/null +++ b/modules/hydra/coordinator.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.hydra = { + enable = true; + hydraURL = "https://hydra.newtype.fr"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = [ ]; + useSubstitutes = true; + }; +} From d9d32e019469e96a0e326ffc42ad306cfd86c04e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 3 Aug 2023 22:56:37 +0200 Subject: [PATCH 18/45] epyc: init hydra settings properly --- hosts/epyc.nix | 16 ++++++++ modules/hydra/coordinator.nix | 76 ++++++++++++++++++++++++++++++++++- modules/nix-daemon.nix | 6 ++- 3 files changed, 95 insertions(+), 3 deletions(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index fda7667..ac0864b 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -1,3 +1,8 @@ +{ lib, ... }: +let + gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ] + ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch}); +in { imports = [ ../modules/ipmi-supermicro.nix @@ -19,6 +24,17 @@ }; }; + nix.buildMachines = [ + { hostName = "localhost"; + systems = [ + "x86_64-linux" + "riscv64-linux" + ]; + supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3"; + maxJobs = 1; + } + ]; + boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ]; simd.arch = "znver3"; diff --git a/modules/hydra/coordinator.nix b/modules/hydra/coordinator.nix index 77c1ceb..55dda02 100644 --- a/modules/hydra/coordinator.nix +++ b/modules/hydra/coordinator.nix @@ -1,9 +1,81 @@ -{ ... }: { +{ pkgs, ... }: { services.hydra = { enable = true; hydraURL = "https://hydra.newtype.fr"; notificationSender = "hydra@localhost"; - buildMachinesFiles = [ ]; + buildMachinesFiles = [ "/etc/nix/machines" ]; useSubstitutes = true; }; + + environment.systemPackages = [ pkgs.nix-prefetch-git ]; + nix.trustedUsers = [ "hydra" "hydra-www" ]; + + services.postgresql = { + enableJIT = true; + settings = { + checkpoint_completion_target = "0.9"; + default_statistics_target = 100; + + max_connections = 500; + work_mem = "20MB"; + maintenance_work_mem = "2GB"; + + shared_buffers = "8GB"; + + min_wal_size = "1GB"; + max_wal_size = "2GB"; + wal_buffers = "16MB"; + + max_worker_processes = 16; + max_parallel_workers_per_gather = 8; + max_parallel_workers = 16; + + # NVMe related performance tuning + effective_io_concurrency = 200; + random_page_cost = "1.1"; + + # We can risk losing some transactions. + synchronous_commit = "off"; + + effective_cache_size = "16GB"; + + # autovacuum and autoanalyze much more frequently: + # at these values vacuum should run approximately + # every 2 mass rebuilds, or a couple times a day + # on the builds table. Some of those queries really + # benefit from frequent vacuums, so this should + # help. In particular, I'm thinking the jobsets + # pages. + autovacuum_vacuum_scale_factor = 0.002; + autovacuum_analyze_scale_factor = 0.001; + + shared_preload_libraries = "pg_stat_statements"; + compute_query_id = "on"; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "ryan@lahfa.xyz"; + }; + + services.nginx = { + enable = true; + + recommendedZstdSettings = true; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation =true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + + services.nginx.virtualHosts."hydra.newtype.fr" = { + forceSSL = true; + enableACME = true; + # TODO: remove compression for some locations + locations."/".proxyPass = "http://localhost:3000"; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index b45d3a8..3120c3d 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -42,13 +42,17 @@ in package = pkgs.nixVersions.nix_2_13; # should be enough? - nrBuildUsers = lib.mkDefault 32; + nrBuildUsers = 128; # https://github.com/NixOS/nix/issues/719 + daemonCPUSchedPolicy = "batch"; + daemonIOSchedClass = "best-effort"; + daemonIOSchedPriority = 5; settings = { keep-outputs = true; keep-derivations = true; + max-jobs = 64; # in zfs we trust fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); substituters = [ From 88873083d509478d3aff3dbd8fa9224220ae645a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 4 Aug 2023 02:52:46 +0200 Subject: [PATCH 19/45] =?UTF-8?q?epyc:=2064=20=E2=86=92=2042=20max=20jobs?= =?UTF-8?q?=20otherwise=20RAM=20explodes=20too=20quickly=20with=20browsers?= =?UTF-8?q?=20and=20whatever?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/nix-daemon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 3120c3d..ab3626e 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -52,7 +52,7 @@ in settings = { keep-outputs = true; keep-derivations = true; - max-jobs = 64; + max-jobs = 42; # 64 is too much, it will explode the RAM for now. Let's keep it serious. # in zfs we trust fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); substituters = [ From 65c58a00bb2547e6a270c0531c018cf523eae94d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 7 Aug 2023 14:46:46 +0200 Subject: [PATCH 20/45] added attic to buildbot --- flake.nix | 2 ++ modules/buildbot/default.nix | 4 +++- modules/packages.nix | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index a906796..d4b5920 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,8 @@ colmena.url = "github:zhaofengli/colmena"; colmena.inputs.nixpkgs.follows = "nixpkgs"; + attic.url = "github:zhaofengli/attic"; + srvos.url = "github:numtide/srvos"; # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant srvos.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index 3691eab..ae77a56 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, inputs, ... }: with lib; let cfg = config.luj.buildbot; @@ -12,6 +12,7 @@ in #buildbot worker nix.settings.allowed-users = [ "buildbot-worker" ]; + nix.settings.trusted-users = [ "buildbot-worker" ]; users.users.buildbot-worker = { description = "Buildbot Worker User."; isSystemUser = true; @@ -33,6 +34,7 @@ in pkgs.gh pkgs.nix pkgs.nix-output-monitor + inputs.attic.packages.x86_64-linux.attic ]; environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989''; diff --git a/modules/packages.nix b/modules/packages.nix index c396d63..5503b6e 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -1,10 +1,11 @@ -{ pkgs, ... }: { +{ pkgs, inputs, ... }: { # this extends the list from: # https://github.com/numtide/srvos/blob/master/server.nix#L10 environment.systemPackages = with pkgs; [ socat whois + inputs.attic.packages.x86_64-linux.attic jq psmisc libarchive From 14ec5cc6fe00ea0f8900a4e063118d9ff396f318 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:20:41 +0200 Subject: [PATCH 21/45] epyc: add nix-top --- modules/packages.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/packages.nix b/modules/packages.nix index 5503b6e..7d84ab0 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -35,6 +35,8 @@ usbutils ipmitool + + nix-top # tries to default to soft-float due to out-dated cc-rs ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; } From ada25e575fcb916a27439fcb08bfef72e3be70fe Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:20:45 +0200 Subject: [PATCH 22/45] flake: bump --- flake.lock | 65 +++++++++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index ccc75ee..4ef6807 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1684153753, - "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "type": "github" }, "original": { @@ -32,11 +32,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1685163780, - "narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=", + "lastModified": 1688224393, + "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf", + "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", "type": "github" }, "original": { @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1685970051, - "narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=", + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", "owner": "nix-community", "repo": "disko", - "rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", "type": "github" }, "original": { @@ -110,11 +110,11 @@ ] }, "locked": { - "lastModified": 1685662779, - "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -147,11 +147,11 @@ "flake-registry": { "flake": false, "locked": { - "lastModified": 1682423975, - "narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=", + "lastModified": 1689333397, + "narHash": "sha256-g1Nn0sgH/hR/gEAQ1q6bloU+Q+V+Y4HlBBH6CBxC0HM=", "owner": "NixOS", "repo": "flake-registry", - "rev": "8054bfa00d60437297d670ab3296a117e7059a10", + "rev": "5d8dc3eb692809ffd9a2f22cdb8015aa11972905", "type": "github" }, "original": { @@ -219,11 +219,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1690957133, + "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a", "type": "github" }, "original": { @@ -241,11 +241,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1688319245, + "lastModified": 1688428885, "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=", "ref": "main", "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc", - "revCount": 5, + "revCount": 2, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" }, @@ -257,11 +257,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685952468, - "narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=", + "lastModified": 1691083802, + "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a", + "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", "type": "github" }, "original": { @@ -273,11 +273,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1685938391, - "narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=", + "lastModified": 1691003216, + "narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed", + "rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f", "type": "github" }, "original": { @@ -289,11 +289,11 @@ }, "nur": { "locked": { - "lastModified": 1685980073, - "narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=", + "lastModified": 1691109630, + "narHash": "sha256-NkltnE+ZMABNP7pJVj7ftu/58aTGa5PXxICLr8fjkI4=", "owner": "nix-community", "repo": "NUR", - "rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09", + "rev": "dcd922e7738fc027c73cd2cc110015d38fba9651", "type": "github" }, "original": { @@ -325,11 +325,11 @@ ] }, "locked": { - "lastModified": 1685966850, - "narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=", + "lastModified": 1690557184, + "narHash": "sha256-KMGPz3pP7OoUZaUhgcuYG84CtVaJOQw6RK8J0fAtKt0=", "owner": "numtide", "repo": "srvos", - "rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623", + "rev": "ceed433086a85e5540bd73cff46497af5a09e36f", "type": "github" }, "original": { @@ -379,4 +379,3 @@ "root": "root", "version": 7 } - From 0e8785863ed8fb7dd6cf7b114372a67332fd9827 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:21:32 +0200 Subject: [PATCH 23/45] epyc: nerf it --- modules/nix-daemon.nix | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ab3626e..760c768 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -1,6 +1,7 @@ { lib , config , pkgs +, inputs , ... }: @@ -29,6 +30,17 @@ in { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } ]; + # Memory accounting techniques + systemd.services.nix-daemon.serviceConfig = { + MemoryAccounting = true; + MemoryMax = "225G"; + MemoryHigh = "220G"; + MemorySwapMax = "2G"; + ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + MemoryPressureWatch = "on"; + }; + nix = { # Garbage-collect often gc.automatic = true; @@ -38,23 +50,21 @@ in # Randomize GC to avoid thundering herd effects. gc.randomizedDelaySec = "1800"; - # 2.11, 2.12 suffers from a bug with remote builders… - package = pkgs.nixVersions.nix_2_13; + # Inchallah, it works. + # package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17; # should be enough? nrBuildUsers = 128; - # https://github.com/NixOS/nix/issues/719 - daemonCPUSchedPolicy = "batch"; - daemonIOSchedClass = "best-effort"; - daemonIOSchedPriority = 5; - settings = { keep-outputs = true; keep-derivations = true; - max-jobs = 42; # 64 is too much, it will explode the RAM for now. Let's keep it serious. - # in zfs we trust - fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); + use-cgroups = true; + http-connections = 0; + auto-allocate-uids = true; + cores = 64; # 128 is too much, it will explode the RAM for now. Let's keep it serious. + max-jobs = 2; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix. + fsync-metadata = true; substituters = [ "https://nix-community.cachix.org" "https://tum-dse.cachix.org" @@ -64,6 +74,14 @@ in "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM=" ]; + experimental-features = [ + "auto-allocate-uids" + "ca-derivations" + "cgroups" + "discard-references" + "fetch-closure" + "impure-derivations" + ]; }; }; From 38e86907c81bdf8814e6c4196a2ff1c9a3486140 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:24:09 +0200 Subject: [PATCH 24/45] epyc: maybe we can afford 2 jobs on localhost for Hydra? --- hosts/epyc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index ac0864b..019c5a9 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -31,7 +31,7 @@ in "riscv64-linux" ]; supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3"; - maxJobs = 1; + maxJobs = 2; } ]; From 85154e3d19031fc326eb83777ba6ccf52f659669 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:24:14 +0200 Subject: [PATCH 25/45] flake: bump --- flake.lock | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 149 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4ef6807..5f9ac55 100644 --- a/flake.lock +++ b/flake.lock @@ -22,10 +22,32 @@ "type": "github" } }, - "colmena": { + "attic": { "inputs": { + "crane": "crane", "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1689457600, + "narHash": "sha256-1XLn2ZZMaqQx+Ys3eel5hQRkgUn3DeHcVb2JT8WYU0A=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "4902d57f5dae8ec660ee9ee14c45c2192f9fe8b1", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -45,6 +67,36 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "attic", + "flake-compat" + ], + "flake-utils": [ + "attic", + "flake-utils" + ], + "nixpkgs": [ + "attic", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677892403, + "narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=", + "owner": "ipetkov", + "repo": "crane", + "rev": "105e27adb70a9890986b6d543a67761cbc1964a2", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -88,6 +140,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -161,6 +229,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -257,16 +340,32 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691083802, - "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", + "lastModified": 1686519857, + "narHash": "sha256-VkBhuq67aXXiCoEmicziuDLUPPjeOTLQoj6OeVai5zM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", + "rev": "6b1b72c0f887a478a5aac355674ff6df0fc44f44", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -287,6 +386,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1691083802, + "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1691109630, @@ -305,6 +420,7 @@ "root": { "inputs": { "agenix": "agenix", + "attic": "attic", "colmena": "colmena", "disko": "disko", "flake-parts": "flake-parts", @@ -312,12 +428,39 @@ "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", "nixos-hypervisor": "nixos-hypervisor", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", "srvos": "srvos" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "attic", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "attic", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1675391458, + "narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ From a812707b62157418a739a748349e34c3d244d153 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 16 Aug 2023 15:22:54 +0200 Subject: [PATCH 26/45] friends: init with ninjatrappeur --- hosts/epyc.nix | 1 + modules/users/friends.nix | 11 +++++++++++ modules/users/keys/ninjaTrappeur.keys | 3 +++ 3 files changed, 15 insertions(+) create mode 100644 modules/users/friends.nix create mode 100644 modules/users/keys/ninjaTrappeur.keys diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 019c5a9..67025ab 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,7 @@ in ../modules/iperf-server.nix ../modules/hypervisor.nix ../modules/hydra/coordinator.nix + ../modules/users/friends.nix ]; networking.hostName = "epyc"; diff --git a/modules/users/friends.nix b/modules/users/friends.nix new file mode 100644 index 0000000..8d5ea3f --- /dev/null +++ b/modules/users/friends.nix @@ -0,0 +1,11 @@ +{ ... }: { + users.users = { + ninjatrappeur = { + isNormalUser = true; + home = "/home/ninjatrappeur"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2000; + openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; + }; + }; +} diff --git a/modules/users/keys/ninjaTrappeur.keys b/modules/users/keys/ninjaTrappeur.keys new file mode 100644 index 0000000..2dd6171 --- /dev/null +++ b/modules/users/keys/ninjaTrappeur.keys @@ -0,0 +1,3 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClF9ko5u4zf0CEvleEeRbo9r6BMNgXEGO/rDNZOEHcKxVaeIi+/xF6ZQ5MZbcmH08lswq32hb1XwXg7Gk+ofUdEvCD/kC/vJijt7IFkardy6BNOSWQJLEf6/BpL3LzDQhi7iZXPF46VYoPVGHBh8fKQaAtOCrhbf/8JutfTwCglEztjoiQxY5b8OMfntjBSl6TJwZPJAoQllbJJz9q90sBetvqx6Y08eqIzsSZw6pznpvivRR+TSKU0EkVYS2y2zBAvPK6oyunj5zi01/FACT+Qn70dUkumZAvcPssbl0hCs/xDLgEL6hCEvoszodyMYVn7HS0KwfUlfiGdNUOFHIl +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzd1XAB7Pc8Tplur5iV3llOXtvlHru8pLtQlbvHzmt1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOE7oDtq+xt5RuvMigDZMeZQODFr5Otz6HCO8wnI80oo From 62e37c45ea5d3347c71223861cad827690d73f6b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 16 Aug 2023 15:32:04 +0200 Subject: [PATCH 27/45] =?UTF-8?q?keys:=20ninjaTrappeur=20=E2=86=92=20ninja?= =?UTF-8?q?trappeur?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/users/keys/{ninjaTrappeur.keys => ninjatrappeur.keys} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/users/keys/{ninjaTrappeur.keys => ninjatrappeur.keys} (100%) diff --git a/modules/users/keys/ninjaTrappeur.keys b/modules/users/keys/ninjatrappeur.keys similarity index 100% rename from modules/users/keys/ninjaTrappeur.keys rename to modules/users/keys/ninjatrappeur.keys From e460e8ca8a9775240399cdb9568a5c979fcfbab0 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 21 Aug 2023 13:57:12 +0200 Subject: [PATCH 28/45] Added nom to packages --- modules/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/packages.nix b/modules/packages.nix index 7d84ab0..45482a8 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -5,6 +5,7 @@ socat whois + nix-output-monitor inputs.attic.packages.x86_64-linux.attic jq psmisc From 6ae5f622fb370c713f9274d5f410745f6ff73bc6 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 21 Aug 2023 13:57:34 +0200 Subject: [PATCH 29/45] removed builbot from trusted users --- modules/buildbot/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index ae77a56..99c7387 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -11,7 +11,7 @@ in { #buildbot worker - nix.settings.allowed-users = [ "buildbot-worker" ]; + # nix.settings.allowed-users = [ "buildbot-worker" ]; nix.settings.trusted-users = [ "buildbot-worker" ]; users.users.buildbot-worker = { description = "Buildbot Worker User."; From 7c1ab12829b55222b65fda2685d304ff8da9276b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 17 Aug 2023 23:37:18 +0200 Subject: [PATCH 30/45] friends: init with linus --- modules/users/friends.nix | 17 ++++++++++++++++- modules/users/keys/linus.keys | 4 ++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 modules/users/keys/linus.keys diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 8d5ea3f..684353f 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -1,11 +1,26 @@ -{ ... }: { +{ ... }: +let + trustedFriendGroups = [ + "production-hydra-db" + ]; +in +{ users.users = { ninjatrappeur = { isNormalUser = true; home = "/home/ninjatrappeur"; shell = "/run/current-system/sw/bin/zsh"; uid = 2000; + extraGroups = trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; }; + linus = { + isNormalUser = true; + home = "/home/linus"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2001; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; + }; }; } diff --git a/modules/users/keys/linus.keys b/modules/users/keys/linus.keys new file mode 100644 index 0000000..59249fb --- /dev/null +++ b/modules/users/keys/linus.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf7hGFfUHhtgYY0G/Dh9isjIxkvUjlAKAMvLIZs5NLXwEfnxDTVZW/ijfF2qDozAmYQHZqbeyhJX7YlO6nYjWRBxqBeqAMHhtu3PkiysSCCUymhJ2uDHUAox+BT8IGE3sCKYIXRdmSFoibgQad9AHsQ6OLoIaNgMV7rspdBcO/CjyCkHN440XhQKz/Sq2SyygI9Qkuz0qDdQOgIraVi//EXDAvij0QXlkmh+3xBJwEqt8Pe1KP9itwvGyzGX/aAheCBSf7HPcLzJUgcWymW6FL4AE0KqNVb8Q8ahaEM5UgbXUCauDON8H4OR1Zngszw128wklwxOr7q5gB++Ks1OQlHMGgiVYZ2wC0DXlx68BKSMNnJRHWCI4r63a3bAWGCqKbcCHpimjPAHisPoaoHffVUaIpj65klj+GkoHAgo/pl0S6o4OqVpOau3Qkn95D1KDbUiE1l0HdgZaRmOKRvTKec1V3tfB2rA83Q1cZCWC5ZSwk3wihYPywMyIo6G8f2M2bFot7k/sS9ZMSle6oZDrc6A8qWnaxMZYbEXdFGy02550vdymshJ9RpSLfK1oBKoKk7yL2hk1UHm6obXYXn/F0KvDr7nAM6gOf9NnOrPHKt14WDb0GsZwNd34g1RCcBUcXewh4ZJOHerzsS2h3D30BNQUNCaF8ZQr6FYXp7v9gnQ== +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3EmXYSXsimS+vlGYtfTkOGuwvkXU0uHd2yYKLOxD2F +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJWYrcu8usyqdLv4XO4i5TPaQhB+lH3Xbu2uz64hQe3 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICDgQA1A1uHJsqLsSLLkuWNlxXrpGRD6Qx11WBbfP+SmAAAAEXNzaDpsaW51c0BiZWl3ZXJr From 69aac159fa460c9a2517832b842fd0288aa9c90c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 18:42:50 +0200 Subject: [PATCH 31/45] epyc: open postgresql publicly --- hosts/epyc.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 67025ab..0b94506 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -17,6 +17,10 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # Open public access to our PostgreSQL. + services.postgresql.enableTCPIP = true; + networking.firewall.allowedTCPPorts = [ 5432 ]; + virtualisation.nvisor.vms = { vm01 = { config = { pkgs, ... }: { From 6eec25d2bbe47fbf81d6c02bcc0f1ba8192e4d7c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 21:17:31 +0200 Subject: [PATCH 32/45] epyc: let authentication remote --- hosts/epyc.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 0b94506..4d9dbbf 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -19,6 +19,9 @@ in # Open public access to our PostgreSQL. services.postgresql.enableTCPIP = true; + services.postgresql.authentication = '' + host hydra-nixos-org hydra_ro ::/0 trust + ''; networking.firewall.allowedTCPPorts = [ 5432 ]; virtualisation.nvisor.vms = { From 6228f5a2df4b48fa73e297f0d316b1d4299d69b1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 23 Aug 2023 13:00:22 +0200 Subject: [PATCH 33/45] epyc: add android cache --- hosts/epyc.nix | 1 + modules/android-cache.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 modules/android-cache.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 4d9dbbf..bf71054 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,7 @@ in ../modules/iperf-server.nix ../modules/hypervisor.nix ../modules/hydra/coordinator.nix + ../modules/android-cache.nix ../modules/users/friends.nix ]; diff --git a/modules/android-cache.nix b/modules/android-cache.nix new file mode 100644 index 0000000..3fa3110 --- /dev/null +++ b/modules/android-cache.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +let + mirrors = { + "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + }; +in +{ + nix.envVars.ROBOTNIX_GIT_MIRRORS = lib.concatStringsSep "|" (lib.mapAttrsToList (local: remote: "${local}=${remote}") mirrors); + + # Also add local mirrors to nix sandbox exceptions + nix.sandboxPaths = lib.attrValues mirrors; +} From 47e322b416902d4dfce1fed8a40b704f40dc5c94 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 23 Aug 2023 14:58:50 +0200 Subject: [PATCH 34/45] epyc: disable lineageOS for now --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 3fa3110..1aa3e93 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + # "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; }; in { From eff88f398d413dbd3202a449fbfaa0ca96e6ce10 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 24 Aug 2023 23:59:59 +0000 Subject: [PATCH 35/45] keys: gdd quality --- modules/users/keys/gdd.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/gdd.keys b/modules/users/keys/gdd.keys index f176c04..324c5aa 100644 --- a/modules/users/keys/gdd.keys +++ b/modules/users/keys/gdd.keys @@ -1 +1,2 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqnCNhMl5KgERtpFAVUjd11JDsf0uQ/8NY5sj4tnjw5 From 07e223048d31519524c50dfcd13bf8b387f5e703 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 24 Aug 2023 19:46:52 +0200 Subject: [PATCH 36/45] epyc: add lineageOS again --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 1aa3e93..7689165 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - # "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos"; }; in { From 39134145c046fb3e2568653a40d7adf5a1bbbe2c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 25 Aug 2023 15:06:19 +0200 Subject: [PATCH 37/45] epyc: add linageOS better --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 7689165..3fa3110 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - "https://github.com/LineageOS" = "/var/lib/src/lineageos"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; }; in { From 279344c454d0f8c52550ef8f1bc4b11ead1b19a8 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 26 Aug 2023 19:00:04 +0200 Subject: [PATCH 38/45] epyc: add TheMuppets --- modules/android-cache.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 3fa3110..96a2968 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -3,6 +3,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets"; }; in { From b152bd7826272ab7d9ab117d7fd1f378d3f6e130 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Wed, 6 Sep 2023 11:22:23 +0200 Subject: [PATCH 39/45] added luj x2100 key --- modules/users/keys/luj.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/luj.keys b/modules/users/keys/luj.keys index c9c3829..a95104b 100644 --- a/modules/users/keys/luj.keys +++ b/modules/users/keys/luj.keys @@ -1,4 +1,5 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoYi9YFzovZfwrY3BUA3QqcyBE8gfNTncbs3qqkLbyY ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR From 3dcb366c3b56f93d50b3e526d49cd9b069f3b7a6 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 11 Sep 2023 19:56:06 +0200 Subject: [PATCH 40/45] I need to hydraing --- modules/users/admins.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 2101ef7..877eb09 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -22,7 +22,8 @@ in luj = { isNormalUser = true; home = "/home/luj"; - inherit (config.users.users.raito) extraGroups; + inherit (config.users.users.raito); + extraGroups = extraGroups ++ [ "production-hydra-db" ]; shell = "/run/current-system/sw/bin/zsh"; uid = 1001; openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; From 8d57383bc37a3bd246749c5b0072448d5d9068ef Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 12 Sep 2023 14:08:03 +0200 Subject: [PATCH 41/45] epyc: add raito@thorkell in builder --- modules/builder.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/builder.nix b/modules/builder.nix index 5dc80c8..08340ea 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -3,8 +3,8 @@ isNormalUser = true; home = "/home/nix"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE raito@thorkell" ]; uid = 5001; }; From 5a1aa0eef7ba6a4549fdb6a52aa2ac3140ef9db9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 22:14:20 +0200 Subject: [PATCH 42/45] epyc: add garage node --- hosts/epyc.nix | 2 ++ modules/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 modules/garage.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index bf71054..128c2e8 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -11,10 +11,12 @@ in ../modules/hypervisor.nix ../modules/hydra/coordinator.nix ../modules/android-cache.nix + ../modules/garage.nix ../modules/users/friends.nix ]; networking.hostName = "epyc"; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/modules/garage.nix b/modules/garage.nix new file mode 100644 index 0000000..8859d9c --- /dev/null +++ b/modules/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: { + services.garage = { + enable = true; + package = pkgs.garage_0_8; + settings = { + db_engine = "lmdb"; + block_size = (10 * 1024 * 1024); # 10MB + replication_mode = "none"; + rpc_bind_addr = "[::1]:3901"; + rpc_public_addr = "[::1]:3901"; + rpc_secret = "f5b8ede0abe0a3d454d96e8b352e29a1d94522b64274d23b256d57482441ccc1"; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::1]:3900"; + root_domain = ".s3.infra.newtype.fr"; + }; + + s3_web = { + bind_addr = "[::1]:3902"; + root_domain = ".web.infra.newtype.fr"; + index = "index.html"; + }; + }; + }; +} From 80099f64aba28d5669af955f08b8d23b6415ecc1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 18 Sep 2023 09:59:14 +0200 Subject: [PATCH 43/45] users/friends: allow linus to be root --- modules/users/friends.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 684353f..afb5437 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -19,7 +19,9 @@ in home = "/home/linus"; shell = "/run/current-system/sw/bin/zsh"; uid = 2001; - extraGroups = trustedFriendGroups; + # Raito: I allowed linus to be root to get some stuff done + # on behalf of me. + extraGroups = [ "wheel" ] ++ trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; }; }; From df7c5aa2f99d4ef3defbd84390461c1487f57e55 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 18 Sep 2023 15:49:56 +0200 Subject: [PATCH 44/45] luj: key update --- modules/users/keys/luj.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/luj.keys b/modules/users/keys/luj.keys index a95104b..2536b0e 100644 --- a/modules/users/keys/luj.keys +++ b/modules/users/keys/luj.keys @@ -9,4 +9,5 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E= From 86ae720a2a6ed1cf55f0bedad1231574feffd653 Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Mon, 18 Sep 2023 11:18:07 +0200 Subject: [PATCH 45/45] garage: add reverse proxy for S3 access from outside TODO: subdomains? --- modules/garage.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/garage.nix b/modules/garage.nix index 8859d9c..be45bfe 100644 --- a/modules/garage.nix +++ b/modules/garage.nix @@ -23,4 +23,15 @@ }; }; }; + + services.nginx = { + enable = true; + virtualHosts."s3.infra.newtype.fr" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3900/"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; }