From f6c1177c38e038206c043338a9b78477b03e54a0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 5 Jun 2023 19:46:42 +0200 Subject: [PATCH 01/83] infra: init vieuxtype.infra.newtype.fr --- configurations.nix | 26 +++++++++++- docs/vieuxtype.lstopo.svg | 63 +++++++++++++++++++++++++++++ docs/vieuxtype.md | 83 +++++++++++++++++++++++++++++++++++++++ hosts/vieuxtype.nix | 28 +++++++++++++ modules/gitea.nix | 34 ++++++++++++++++ modules/hardware/vm.nix | 14 +++++++ modules/hosts.nix | 5 ++- modules/nix-daemon.nix | 12 +++++- modules/packages.nix | 20 ++++++++++ modules/tailscale.nix | 5 +++ modules/users/admins.nix | 5 --- modules/users/yvan.nix | 17 ++++++++ modules/zsh.nix | 9 +++++ 13 files changed, 312 insertions(+), 9 deletions(-) create mode 100644 docs/vieuxtype.lstopo.svg create mode 100644 docs/vieuxtype.md create mode 100644 hosts/vieuxtype.nix create mode 100644 modules/gitea.nix create mode 100644 modules/hardware/vm.nix create mode 100644 modules/tailscale.nix create mode 100644 modules/users/yvan.nix diff --git a/configurations.nix b/configurations.nix index caaed52..05ccb4f 100644 --- a/configurations.nix +++ b/configurations.nix @@ -40,7 +40,8 @@ let srvos.nixosModules.server # srvos.nixosModules.mixins-telegraf - # srvos.nixosModules.mixins-terminfo + srvos.nixosModules.mixins-trusted-nix-caches + srvos.nixosModules.mixins-terminfo agenix.nixosModules.default ({ pkgs @@ -55,6 +56,11 @@ let "nixpkgs=${pkgs.path}" "nur=${nur}" ]; + + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; @@ -88,7 +94,16 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = nixosSystem { + system = "x86_64-linux"; + modules = + commonModules + ++ colmenaModules + ++ [ + ./hosts/vieuxtype.nix + ]; }; + }; flake.colmena = { meta.nixpkgs = import nixpkgs { @@ -101,5 +116,14 @@ in ./hosts/epyc.nix ]; }; + vieuxtype = { + system = "x86_64-linux"; + modules = + commonModules + ++ [ + ./hosts/vieuxtype.nix + ]; + }; + }; } diff --git a/docs/vieuxtype.lstopo.svg b/docs/vieuxtype.lstopo.svg new file mode 100644 index 0000000..da866d3 --- /dev/null +++ b/docs/vieuxtype.lstopo.svg @@ -0,0 +1,63 @@ + + + + Machine (5936MB total) + + Package L#0 + + L3 (16MB) + + L2 (4096KB) + + L1d (32KB) + + L1i (32KB) + + Core L#0 + + PU L#0 + P#0 + + NUMANode L#0 P#0 (5936MB) + + + + + + + + + + + + PCI 00:01.1 + + Block sr0 + 541 MB + + PCI 00:02.0 + + PCI 00:03.0 + + PCI 00:05.0 + + Block sda + 40 GB + + PCI 00:12.0 + + Net ens18 + + PCI 00:13.0 + + Net ens19 + + PCI 00:14.0 + + Net ens20 + + MemoryModule + + Host: vieuxtype + Date: Mon 05 Jun 2023 08:15:31 PM CEST + diff --git a/docs/vieuxtype.md b/docs/vieuxtype.md new file mode 100644 index 0000000..ca86ff2 --- /dev/null +++ b/docs/vieuxtype.md @@ -0,0 +1,83 @@ +# vieuxtype + +``` +System: Host: vieuxtype Kernel: 6.1.31 x86_64 bits: 64 compiler: gcc v: 12.2.0 + parameters: initrd=\efi\nixos\mf13ryz0gl48s8672gzg80lvq9yd8189-initrd-linux-6.1.31-initrd.efi + init=/nix/store/5c8yhqcmf24d61m99cpqc3ffjma90cxs-nixos-system-vieuxtype-23.05.553.e7603eba51f/init + console=ttyS0,115200 panic=30 boot.panic_on_fail loglevel=4 + Console: N/A Distro: NixOS 23.05 (Stoat) +Machine: Type: Kvm System: QEMU product: Standard PC (i440FX + PIIX, 1996) v: pc-i440fx-7.2 + serial: N/A Chassis: type: 1 v: pc-i440fx-7.2 serial: N/A + Mobo: N/A model: N/A serial: N/A UEFI: EFI Development Kit II / OVMF v: 3.20230228-2 + date: 04/04/2023 +Memory: RAM: total: 5.8 GiB used: 820.6 MiB (13.8%) + Array-1: capacity: 6 GiB slots: 1 EC: Multi-bit ECC max-module-size: 6 GiB note: est. + Device-1: DIMM 0 size: 6 GiB speed: N/A type: RAM detail: other bus-width: Unknown + total: Unknown manufacturer: QEMU part-no: Not Specified serial: Not Specified +PCI Slots: Message: No PCI Slot data found. +CPU: Info: Single Core model: Common KVM bits: 64 type: MCP arch: Netburst Presler + family: F (15) model-id: 6 stepping: 1 microcode: 1 cache: L2: 16 MiB + flags: lm nx pae sse sse2 sse3 bogomips: 5199 + Speed: 2600 MHz min/max: N/A base/boost: 2000/2000 Core speed (MHz): 1: 2600 + Vulnerabilities: Type: itlb_multihit status: KVM: VMX unsupported + Type: l1tf mitigation: PTE Inversion + Type: mds + status: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown + Type: meltdown mitigation: PTI + Type: mmio_stale_data status: Unknown: No mitigations + Type: retbleed status: Not affected + Type: spec_store_bypass status: Vulnerable + Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization + Type: spectre_v2 + mitigation: Retpolines, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected + Type: srbds status: Not affected + Type: tsx_async_abort status: Not affected +Graphics: Device-1: vendor: Red Hat driver: bochs-drm v: N/A alternate: bochs bus-ID: 00:02.0 + chip-ID: 1234:1111 class-ID: 0300 + Display: server: No display server data found. Headless machine? tty: N/A + Message: Advanced graphics data unavailable in console for root. +Audio: Message: No device data found. +Network: Device-1: Intel 82371AB/EB/MB PIIX4 ACPI vendor: Red Hat Qemu virtual machine + type: network bridge driver: piix4_smbus v: N/A modules: i2c_piix4 port: 10c0 + bus-ID: 00:01.3 chip-ID: 8086:7113 class-ID: 0680 + Device-2: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 10e0 + bus-ID: 00:12.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens18 state: up speed: -1 duplex: unknown mac: da:3e:b0:11:ae:0a + IP v4: 169.254.129.42/16 type: noprefixroute scope: global broadcast: 169.254.255.255 + IP v6: 2a01:e0a:5f9:9681:33ba:55f5:6e55:beef/64 type: temporary dynamic scope: global + IP v6: 2a01:e0a:5f9:9681:d83e:b0ff:fe11:ae0a/64 type: dynamic mngtmpaddr scope: global + IP v6: 2a01:e0a:5f9:9681:a498:fffb:e48d:299/64 scope: global + IP v6: fe80::d83e:b0ff:fe11:ae0a/64 scope: link + Device-3: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1400 + bus-ID: 00:13.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens19 state: up speed: -1 duplex: unknown mac: 72:38:5f:a6:82:5a + IP v4: 10.32.64.196/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::7038:5fff:fea6:825a/64 scope: link + Device-4: Red Hat Virtio network driver: virtio-pci v: 1 modules: virtio_pci port: 1420 + bus-ID: 00:14.0 chip-ID: 1af4:1000 class-ID: 0200 + IF: ens20 state: up speed: -1 duplex: unknown mac: 8e:38:09:a2:8c:9e + IP v4: 10.32.64.224/20 type: dynamic noprefixroute scope: global + broadcast: 10.32.79.255 + IP v6: fe80::8c38:9ff:fea2:8c9e/64 scope: link + IF-ID-1: tailscale0 state: unknown speed: -1 duplex: full mac: N/A + IP v6: fe80::7d4f:3369:71cc:66d5/64 virtual: stable-privacy scope: link + WAN IP: 82.65.118.1 +Drives: Local Storage: total: 40 GiB used: 10.33 GiB (25.8%) + ID-1: /dev/sda maj-min: 8:0 vendor: QEMU model: HARDDISK size: 40 GiB block-size: + physical: 512 B logical: 512 B speed: serial: drive-scsi0 rev: 2.5+ + scheme: GPT + SMART: no +Partition: ID-1: / raw-size: 11.5 GiB size: 11.22 GiB (97.55%) used: 10.27 GiB (91.6%) fs: ext4 + block-size: 4096 B dev: /dev/sda1 maj-min: 8:1 + ID-2: /boot raw-size: 511 MiB size: 510 MiB (99.80%) used: 54.9 MiB (10.8%) fs: vfat + block-size: 512 B dev: /dev/sda3 maj-min: 8:3 +Swap: Kernel: swappiness: 60 (default) cache-pressure: 100 (default) + ID-1: swap-1 type: partition size: 8 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda2 + maj-min: 8:2 +Sensors: Message: No sensor data found. Is lm-sensors configured? +Info: Processes: 107 Uptime: N/A wakeups: 1 Init: systemd v: 253 target: multi-user.target + tool: systemctl Compilers: gcc: 12.2.0 Packages: 899 nix-default: 9 nix-sys: 881 + lib: 155 nix-usr: 9 lib: 3 Client: Sudo v: 1.9.13p3 inxi: 3.3.04 +``` +![hardware topology](vieuxtype.lstopo.svg) diff --git a/hosts/vieuxtype.nix b/hosts/vieuxtype.nix new file mode 100644 index 0000000..41bd6e5 --- /dev/null +++ b/hosts/vieuxtype.nix @@ -0,0 +1,28 @@ +{ + imports = [ + ../modules/hardware/vm.nix + ../modules/gitea.nix + ../modules/tailscale.nix + ../modules/users/yvan.nix + ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/fe1d2e0d-9210-4a2d-b584-d1e131747ea3"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8782-7801"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/c9511ddb-e41f-436c-ad1f-9b587ed0ba11"; }]; + + networking.hostName = "vieuxtype"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # simd.arch = "znver3"; + system.stateVersion = "23.05"; +} diff --git a/modules/gitea.nix b/modules/gitea.nix new file mode 100644 index 0000000..1fd9dc7 --- /dev/null +++ b/modules/gitea.nix @@ -0,0 +1,34 @@ +{ ... }: { + services.gitea = { + enable = true; + appName = "Newtype's Git"; + mailerPasswordFile = "/var/lib/secrets/gitea/mailpw"; + settings = { + server = { + ROOT_URL = "https://git.newtype.fr"; + DOMAIN = "git.newtype.fr"; + }; + service.DISABLE_REGISTRATION = true; + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + HOST = "mail.gandi.net:465"; + USER = "git@newtype.fr"; + FROM = "Newtype's Git "; + IS_TLS_ENABLED = true; + }; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."git.newtype.fr" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; + }; + }; + + security.acme.certs = { "git.newtype.fr".email = "contact@newtype.fr"; }; + security.acme.acceptTerms = true; +} diff --git a/modules/hardware/vm.nix b/modules/hardware/vm.nix new file mode 100644 index 0000000..9d457ec --- /dev/null +++ b/modules/hardware/vm.nix @@ -0,0 +1,14 @@ +{ lib, modulesPath, ... }: { + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + services.qemuGuest.enable = true; + + # VMs are noisy for this type of thing usually. + nix.settings.max-jobs = lib.mkDefault 1; +} diff --git a/modules/hosts.nix b/modules/hosts.nix index 9a5bc26..794b6d8 100644 --- a/modules/hosts.nix +++ b/modules/hosts.nix @@ -37,11 +37,14 @@ in ) "Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}"; - # usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain + # usually, for each host there is a hostname.infra.newtype.fr networking.newtype.hosts = { epyc = { ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8"; }; + vieuxtype = { + ipv6 = "2a01:e0a:5f9:9681:a498:fffb:e48d:299"; + }; }; }; } diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ffda29f..b45d3a8 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -24,11 +24,19 @@ in config = { warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + # Allow more open files for non-root users to run NixOS VM tests. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; nix = { + # Garbage-collect often gc.automatic = true; - gc.dates = "03:15"; - gc.options = "--delete-older-than 30d"; + gc.dates = "*:45"; + gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + # Randomize GC to avoid thundering herd effects. + gc.randomizedDelaySec = "1800"; # 2.11, 2.12 suffers from a bug with remote builders… package = pkgs.nixVersions.nix_2_13; diff --git a/modules/packages.nix b/modules/packages.nix index c396d63..1086d5f 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -1,4 +1,7 @@ { pkgs, ... }: { + # documentation.dev.enable = true; + # environment.extraOutputsToInstall = [ "info" "man" "devman" ]; + # this extends the list from: # https://github.com/numtide/srvos/blob/master/server.nix#L10 environment.systemPackages = with pkgs; [ @@ -34,6 +37,23 @@ usbutils ipmitool + + (neovim.override { + viAlias = true; + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ vim-lastplace vim-nix ]; + opt = [ ]; + }; + }; + }) + # tries to default to soft-float due to out-dated cc-rs ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; + + programs.vim.defaultEditor = true; + environment.variables = { EDITOR = "nvim"; }; + programs.mosh.enable = true; + programs.tmux.enable = true; } diff --git a/modules/tailscale.nix b/modules/tailscale.nix new file mode 100644 index 0000000..14ffc74 --- /dev/null +++ b/modules/tailscale.nix @@ -0,0 +1,5 @@ +{ config, ... }: { + services.tailscale.enable = true; + networking.firewall.checkReversePath = "loose"; + networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ]; +} diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 2101ef7..f7c44d1 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -13,7 +13,6 @@ in isNormalUser = true; home = "/home/raito"; inherit extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1000; openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ]; }; @@ -23,7 +22,6 @@ in isNormalUser = true; home = "/home/luj"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1001; openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; }; @@ -33,7 +31,6 @@ in isNormalUser = true; home = "/home/gdd"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1002; openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ]; }; @@ -43,7 +40,6 @@ in isNormalUser = true; home = "/home/akechi"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1003; openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ]; }; @@ -53,7 +49,6 @@ in isNormalUser = true; home = "/home/tomate"; inherit (config.users.users.raito) extraGroups; - shell = "/run/current-system/sw/bin/zsh"; uid = 1004; openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ]; }; diff --git a/modules/users/yvan.nix b/modules/users/yvan.nix new file mode 100644 index 0000000..e9f11a9 --- /dev/null +++ b/modules/users/yvan.nix @@ -0,0 +1,17 @@ +{ ... }: { + users.users.yvan = { + isNormalUser = true; + home = "/home/yvan"; + description = "Yvan's account"; + extraGroups = [ "wheel" "www-data" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdMWQ1D9VJNrIzvgU8QMQwhy7Q/OFI9JNLpo/Kr0uXCeZBtSn9eMzZa88Q8gDaHnlc/BlTnlSomWP/S9u8+j21d+rXgDyPgJUqMjGBxFo4lZue3DlACXKQcwWXiNlGQKFPzSNBN62N3cRwm1R7Won9xVwedS4UnxsXbOGHkBnajQx40Ej3WRVBVbSjKKGaZKKCNO5hfistRP7RtqhwxYK7D/CyOfwnIUuBAnC3QYDYDph7SD2E5OX3rKwPDPnei0zaIMMXyFrMtv/czYOsisOud2H/VX0vipQh59qji/ZNSE31LemF4VcvC1307JX3uEwSfVWiBsWGPGfc/epQ4ixl yvan@X230" # Yvan's X230 + ]; + }; + + services.mastodon = { + enable = true; + smtp = { host = "mail.gandi.net"; fromAddress = "yvan@sraka.xyz"; }; + localDomain = "sraka.xyz"; + }; +} diff --git a/modules/zsh.nix b/modules/zsh.nix index bba3962..df628fb 100644 --- a/modules/zsh.nix +++ b/modules/zsh.nix @@ -5,4 +5,13 @@ programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh ''; + + programs.zsh = { + autosuggestions.enable = true; + promptInit = '' + source ${pkgs.grml-zsh-config}/etc/zsh/zshrc + ''; + }; + + users.defaultUserShell = pkgs.zsh; } From df0771e3461594f6fa97bab8077923934b5aeee6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 8 Jun 2023 17:43:37 +0200 Subject: [PATCH 02/83] infra(epyc): add my key on builder and iperf3 server --- hosts/epyc.nix | 1 + modules/builder.nix | 1 + modules/iperf-server.nix | 6 ++++++ 3 files changed, 8 insertions(+) create mode 100644 modules/iperf-server.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 029b051..efbf696 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -2,6 +2,7 @@ imports = [ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix + ../modules/iperf-server.nix ]; networking.hostName = "epyc"; diff --git a/modules/builder.nix b/modules/builder.nix index 89833b5..5dc80c8 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -4,6 +4,7 @@ home = "/home/nix"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" ]; uid = 5001; }; diff --git a/modules/iperf-server.nix b/modules/iperf-server.nix new file mode 100644 index 0000000..2b2a4b5 --- /dev/null +++ b/modules/iperf-server.nix @@ -0,0 +1,6 @@ +{ ... }: { + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From 696929edb4f24808bd14b93e143663f119788f15 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 8 Jun 2023 17:43:37 +0200 Subject: [PATCH 03/83] infra(epyc): add my key on builder and iperf3 server --- hosts/epyc.nix | 1 + modules/builder.nix | 1 + modules/iperf-server.nix | 6 ++++++ 3 files changed, 8 insertions(+) create mode 100644 modules/iperf-server.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 029b051..efbf696 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -2,6 +2,7 @@ imports = [ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix + ../modules/iperf-server.nix ]; networking.hostName = "epyc"; diff --git a/modules/builder.nix b/modules/builder.nix index 89833b5..5dc80c8 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -4,6 +4,7 @@ home = "/home/nix"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" ]; uid = 5001; }; diff --git a/modules/iperf-server.nix b/modules/iperf-server.nix new file mode 100644 index 0000000..2b2a4b5 --- /dev/null +++ b/modules/iperf-server.nix @@ -0,0 +1,6 @@ +{ ... }: { + services.iperf3 = { + enable = true; + openFirewall = true; + }; +} From 379d7644903353ed231f9b33c03d76ec600eeb69 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 28 Jun 2023 14:13:28 +0200 Subject: [PATCH 04/83] infra(epyc): Add an ssh key for tomate --- modules/users/keys/tomate.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/tomate.keys b/modules/users/keys/tomate.keys index c5428d0..4dffc5d 100644 --- a/modules/users/keys/tomate.keys +++ b/modules/users/keys/tomate.keys @@ -1 +1,2 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn thubrecht@dell-xps From 820adcfa3117a5c40e8cd09558440beef6394485 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Wed, 28 Jun 2023 14:13:55 +0200 Subject: [PATCH 05/83] misc: Add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92b2793 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.direnv From 02fa2102d616a857a0758e4823c899d4e9d8d46b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:00 +0200 Subject: [PATCH 06/83] configurations: add trusted cache, terminfo and kitty's terminfo --- configurations.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configurations.nix b/configurations.nix index caaed52..6c2e8c5 100644 --- a/configurations.nix +++ b/configurations.nix @@ -39,6 +39,9 @@ let disko.nixosModules.disko srvos.nixosModules.server + srvos.nixosModules.mixins-trusted-nix-caches + srvos.nixosModules.mixins-terminfo + # srvos.nixosModules.mixins-telegraf # srvos.nixosModules.mixins-terminfo @@ -74,6 +77,10 @@ let nur.flake = nur; }; time.timeZone = "UTC"; + + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; }) ]; in From 7fd10c28cb107e70ce3dd34773115d34fb4d2361 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:07 +0200 Subject: [PATCH 07/83] zsh: use grml configuration by default --- modules/zsh.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/zsh.nix b/modules/zsh.nix index bba3962..8a7fae2 100644 --- a/modules/zsh.nix +++ b/modules/zsh.nix @@ -4,5 +4,13 @@ programs.zsh.enableGlobalCompInit = false; programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh - ''; + ''; + programs.zsh = { + autosuggestions.enable = true; + promptInit = '' + source ${pkgs.grml-zsh-config}/etc/zsh/zshrc + ''; + }; + + users.defaultUserShell = pkgs.zsh; } From 5e9b7b77327fc1af9969da8d09ff1027fac9608c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 1 Jul 2023 13:00:27 +0200 Subject: [PATCH 08/83] nix-daemon: improve open files for NixOS VM tests and thundering effects for GC --- modules/nix-daemon.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ffda29f..b45d3a8 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -24,11 +24,19 @@ in config = { warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ]; + # Allow more open files for non-root users to run NixOS VM tests. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; nix = { + # Garbage-collect often gc.automatic = true; - gc.dates = "03:15"; - gc.options = "--delete-older-than 30d"; + gc.dates = "*:45"; + gc.options = ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + # Randomize GC to avoid thundering herd effects. + gc.randomizedDelaySec = "1800"; # 2.11, 2.12 suffers from a bug with remote builders… package = pkgs.nixVersions.nix_2_13; From c898d56781492e7380b72c1a681fe3afe283ffde Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 1 Jul 2023 16:44:29 +0200 Subject: [PATCH 09/83] added luj's remote builders --- modules/ssh-cursed.nix | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 modules/ssh-cursed.nix diff --git a/modules/ssh-cursed.nix b/modules/ssh-cursed.nix new file mode 100644 index 0000000..deb956d --- /dev/null +++ b/modules/ssh-cursed.nix @@ -0,0 +1,36 @@ +{ + programs.ssh.extraConfig = '' + Host telecom-bastion + HostName ssh.enst.fr + User jmalka + IdentityFile /home/luj/.ssh/id_ed25519 + + Host lame11 + Hostname lame11.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame10 + Hostname lame10.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame12 + Hostname lame12.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame16 + Hostname lame16.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + Host lame17 + Hostname lame17.enst.fr + User nix-remote-builder + ProxyJump telecom-bastion + IdentityFile /home/luj/.ssh/id_ed25519 + + ''; + +} From 147ca052d4651d9ca16fe3bf18b6b911d68b85ef Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 1 Jul 2023 16:46:53 +0200 Subject: [PATCH 10/83] import ssh-cursed module --- configurations.nix | 64 ++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/configurations.nix b/configurations.nix index 6c2e8c5..8441d78 100644 --- a/configurations.nix +++ b/configurations.nix @@ -34,6 +34,7 @@ let ./modules/hosts.nix ./modules/network.nix ./modules/zsh.nix + ./modules/ssh-cursed.nix disko.nixosModules.disko @@ -50,38 +51,41 @@ let , config , lib , ... - }: let - sopsFile = ./. + "/hosts/${config.networking.hostName}.yml"; - in { - nix.nixPath = [ - "home-manager=${home-manager}" - "nixpkgs=${pkgs.path}" - "nur=${nur}" - ]; - # TODO: share nixpkgs for each machine to speed up local evaluation. - #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; + }: + let + sopsFile = ./. + "/hosts/${config.networking.hostName}.yml"; + in + { + nix.nixPath = [ + "home-manager=${home-manager}" + "nixpkgs=${pkgs.path}" + "nur=${nur}" + ]; + # TODO: share nixpkgs for each machine to speed up local evaluation. + #nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system}; - #users.withSops = builtins.pathExists sopsFile; - #sops.secrets = lib.mkIf (config.users.withSops) { - # root-password-hash.neededForUsers = true; - #}; - # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile; + #users.withSops = builtins.pathExists sopsFile; + #sops.secrets = lib.mkIf (config.users.withSops) { + # root-password-hash.neededForUsers = true; + #}; + # sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile; - nix.extraOptions = '' - flake-registry = ${flake-registry}/flake-registry.json - ''; + nix.extraOptions = '' + flake-registry = ${flake-registry}/flake-registry.json + builders-use-substitutes = true + ''; - nix.registry = { - home-manager.flake = home-manager; - nixpkgs.flake = nixpkgs; - nur.flake = nur; - }; - time.timeZone = "UTC"; + nix.registry = { + home-manager.flake = home-manager; + nixpkgs.flake = nixpkgs; + nur.flake = nur; + }; + time.timeZone = "UTC"; - environment.systemPackages = [ - pkgs.kitty.terminfo - ]; - }) + environment.systemPackages = [ + pkgs.kitty.terminfo + ]; + }) ]; in { @@ -94,8 +98,8 @@ in ++ [ ./hosts/epyc.nix ]; - }; }; + }; flake.colmena = { meta.nixpkgs = import nixpkgs { @@ -107,6 +111,6 @@ in ++ [ ./hosts/epyc.nix ]; - }; + }; }; } From e3f59ee35f8f3debcddcc2c99ec5d24cfe94ad5c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 17:43:48 +0200 Subject: [PATCH 11/83] flake: add nixos-hypervisor input Private repository for now. --- flake.lock | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++--- flake.nix | 7 +++++- 2 files changed, 76 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 1e7db14..7e4330f 100644 --- a/flake.lock +++ b/flake.lock @@ -123,6 +123,27 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nixos-hypervisor", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -182,16 +203,16 @@ ] }, "locked": { - "lastModified": 1667907331, - "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=", + "lastModified": 1687871164, + "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", "owner": "rycee", "repo": "home-manager", - "rev": "6639e3a837fc5deb6f99554072789724997bc8e5", + "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", "type": "github" }, "original": { "owner": "rycee", - "ref": "release-22.05", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } @@ -211,6 +232,29 @@ "type": "github" } }, + "nixos-hypervisor": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1688312018, + "narHash": "sha256-HU6yQuvGyA9ZPik6VQ1RaIyRfPksDCDVVnUXVfpenzo=", + "ref": "main", + "rev": "1b532cd9302454fb65027ca9a190c875195fb01c", + "revCount": 2, + "type": "git", + "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" + }, + "original": { + "ref": "main", + "type": "git", + "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" + } + }, "nixpkgs": { "locked": { "lastModified": 1685952468, @@ -267,6 +311,7 @@ "flake-registry": "flake-registry", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", + "nixos-hypervisor": "nixos-hypervisor", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", @@ -308,6 +353,27 @@ "repo": "nixpkgs", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-hypervisor", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688026376, + "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 13302ee..61ef327 100644 --- a/flake.nix +++ b/flake.nix @@ -23,7 +23,7 @@ nixos-hardware.url = "github:NixOS/nixos-hardware"; nur.url = "github:nix-community/NUR"; - home-manager.url = "github:rycee/home-manager/release-22.05"; + home-manager.url = "github:rycee/home-manager/release-23.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; @@ -36,6 +36,11 @@ # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant srvos.inputs.nixpkgs.follows = "nixpkgs"; + # Ryan's experimental hypervisor based on cloud-hypervisor + # Private repository, you need a valid SSH key to access it + nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main"; + nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs"; + flake-registry.url = "github:NixOS/flake-registry"; flake-registry.flake = false; }; From 444a655fec714cf9bbc449103d81533e8e27574f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 17:46:01 +0200 Subject: [PATCH 12/83] infra: enable experimental hypervisor on EPYC machine --- configurations.nix | 3 +++ hosts/epyc.nix | 1 + modules/hypervisor.nix | 5 +++++ 3 files changed, 9 insertions(+) create mode 100644 modules/hypervisor.nix diff --git a/configurations.nix b/configurations.nix index 8441d78..f8b50ba 100644 --- a/configurations.nix +++ b/configurations.nix @@ -8,6 +8,7 @@ let nur colmena flake-registry + nixos-hypervisor nixos-hardware nixpkgs-unstable srvos @@ -43,6 +44,8 @@ let srvos.nixosModules.mixins-trusted-nix-caches srvos.nixosModules.mixins-terminfo + nixos-hypervisor.nixosModules.host + # srvos.nixosModules.mixins-telegraf # srvos.nixosModules.mixins-terminfo diff --git a/hosts/epyc.nix b/hosts/epyc.nix index efbf696..c7eb7a6 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -3,6 +3,7 @@ ../modules/ipmi-supermicro.nix ../modules/hardware/supermicro-H12SSL-i.nix ../modules/iperf-server.nix + ../modules/hypervisor.nix ]; networking.hostName = "epyc"; diff --git a/modules/hypervisor.nix b/modules/hypervisor.nix new file mode 100644 index 0000000..2b11b5c --- /dev/null +++ b/modules/hypervisor.nix @@ -0,0 +1,5 @@ +{ ... }: { + virtualisation.nvisor = { + enable = true; + }; +} From 8d187d1ef03929e79cef13e19262d7655ab1db6e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 2 Jul 2023 19:45:17 +0200 Subject: [PATCH 13/83] infra: boot a simple VM --- configurations.nix | 3 +++ flake.lock | 8 ++++---- hosts/epyc.nix | 8 ++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/configurations.nix b/configurations.nix index f8b50ba..550d0fd 100644 --- a/configurations.nix +++ b/configurations.nix @@ -107,6 +107,9 @@ in flake.colmena = { meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; + overlays = [ + nixos-hypervisor.overlays.default + ]; }; epyc = { imports = diff --git a/flake.lock b/flake.lock index 7e4330f..6a47414 100644 --- a/flake.lock +++ b/flake.lock @@ -241,11 +241,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1688312018, - "narHash": "sha256-HU6yQuvGyA9ZPik6VQ1RaIyRfPksDCDVVnUXVfpenzo=", + "lastModified": 1688319245, + "narHash": "sha256-+fXRVu4TDH8mxmZpSByJZCprKfHduFTLOb7sTm4w0RQ=", "ref": "main", - "rev": "1b532cd9302454fb65027ca9a190c875195fb01c", - "revCount": 2, + "rev": "89b36124b161492f140185815ec5b76a0b29dba7", + "revCount": 5, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" }, diff --git a/hosts/epyc.nix b/hosts/epyc.nix index c7eb7a6..805fa33 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,14 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + virtualisation.nvisor.vms = { + vm01 = { + config = { pkgs, ... }: { + environment.systemPackages = [ pkgs.hello ]; + }; + }; + }; + simd.arch = "znver3"; system.stateVersion = "23.05"; } From c208537f4954b4a330b149d264e9e15b1821610c Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sun, 23 Jul 2023 13:44:48 +0200 Subject: [PATCH 14/83] Updated hypervisor input --- flake.lock | 5 +-- flake.nix | 31 ++++++++----------- modules/buildbot/default.nix | 57 ++++++++++++++++++++++++++++++++++ modules/buildbot/worker.py | 59 ++++++++++++++++++++++++++++++++++++ 4 files changed, 131 insertions(+), 21 deletions(-) create mode 100644 modules/buildbot/default.nix create mode 100644 modules/buildbot/worker.py diff --git a/flake.lock b/flake.lock index 6a47414..ccc75ee 100644 --- a/flake.lock +++ b/flake.lock @@ -242,9 +242,9 @@ }, "locked": { "lastModified": 1688319245, - "narHash": "sha256-+fXRVu4TDH8mxmZpSByJZCprKfHduFTLOb7sTm4w0RQ=", + "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=", "ref": "main", - "rev": "89b36124b161492f140185815ec5b76a0b29dba7", + "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc", "revCount": 5, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" @@ -379,3 +379,4 @@ "root": "root", "version": 7 } + diff --git a/flake.nix b/flake.nix index 61ef327..a906796 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,6 @@ { description = "NixOS configuration with flakes"; - nixConfig.extra-substituters = [ - "https://newtype.cachix.org" - ]; - nixConfig.extra-trusted-public-keys = [ - "newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0=" - ]; - # To update all inputs: # $ nix flake update --recreate-lock-file inputs = { @@ -88,19 +81,19 @@ ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd; }; packages = { - # netboot = pkgs.callPackage ./modules/netboot/netboot.nix { - # # this nixosSystem is built for x86_64 machines regardless of the host machine - # pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - # inherit (inputs.nixpkgs.lib) nixosSystem; - # extraModules = [ - # self.inputs.nur.nixosModules.nur - # { _module.args.inputs = self.inputs; } - # ]; - # }; + # netboot = pkgs.callPackage ./modules/netboot/netboot.nix { + # # this nixosSystem is built for x86_64 machines regardless of the host machine + # pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + # inherit (inputs.nixpkgs.lib) nixosSystem; + # extraModules = [ + # self.inputs.nur.nixosModules.nur + # { _module.args.inputs = self.inputs; } + # ]; + # }; - # netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix { - # inherit (self'.packages) netboot; - # }; + # netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix { + # inherit (self'.packages) netboot; + # }; }; }; flake = { diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix new file mode 100644 index 0000000..5b0caa5 --- /dev/null +++ b/modules/buildbot/default.nix @@ -0,0 +1,57 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.luj.buildbot; + port = "1810"; + package = pkgs.buildbot-worker; + python = package.pythonModule; + home = "/var/lib/buildbot-worker"; + buildbotDir = "${home}/worker"; +in +{ + #buildbot worker + + nix.settings.allowed-users = [ "buildbot-worker" ]; + users.users.buildbot-worker = { + description = "Buildbot Worker User."; + isSystemUser = true; + createHome = true; + home = "/var/lib/buildbot-worker"; + group = "buildbot-worker"; + useDefaultShell = true; + }; + users.groups.buildbot-worker = { }; + + systemd.services.buildbot-worker = { + reloadIfChanged = true; + description = "Buildbot Worker."; + after = [ "network.target" "buildbot-master.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.unstable.nix-eval-jobs + pkgs.git + pkgs.gh + pkgs.nix + pkgs.nix-output-monitor + ]; + environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; + environment.MASTER_URL = ''tcp:host=ci.julienmalka.me''; + environment.BUILDBOT_DIR = buildbotDir; + environment.WORKER_PASSWORD_FILE = "/var/lib/buildbot-worker/password.txt"; + + serviceConfig = { + Type = "simple"; + User = "buildbot-worker"; + Group = "buildbot-worker"; + WorkingDirectory = home; + + # Restart buildbot with a delay. This time way we can use buildbot to deploy itself. + ExecReload = "+${pkgs.systemd}/bin/systemd-run --on-active=60 ${pkgs.systemd}/bin/systemctl restart buildbot-worker"; + ExecStart = "${python.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${./worker.py}"; + }; + }; + +} + + + diff --git a/modules/buildbot/worker.py b/modules/buildbot/worker.py new file mode 100644 index 0000000..a640eff --- /dev/null +++ b/modules/buildbot/worker.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 + +import multiprocessing +import os +import socket +from io import open + +from buildbot_worker.bot import Worker +from twisted.application import service + + +def require_env(key: str) -> str: + val = os.environ.get(key) + assert val is not None, "val is not set" + return val + + +def setup_worker(application: service.Application, id: int) -> None: + basedir = f"{require_env('BUILDBOT_DIR')}-{id}" + os.makedirs(basedir, mode=0o700, exist_ok=True) + + master_url = require_env("MASTER_URL") + hostname = socket.gethostname() + workername = f"{hostname}-{id}" + + with open( + require_env("WORKER_PASSWORD_FILE"), "r", encoding="utf-8" + ) as passwd_file: + passwd = passwd_file.read().strip("\r\n") + keepalive = 600 + umask = None + maxdelay = 300 + numcpus = None + allow_shutdown = None + + s = Worker( + None, + None, + workername, + passwd, + basedir, + keepalive, + connection_string=master_url, + umask=umask, + maxdelay=maxdelay, + numcpus=numcpus, + allow_shutdown=allow_shutdown, + ) + s.setServiceParent(application) + + +# note: this line is matched against to check that this is a worker +# directory; do not edit it. +application = service.Application("buildbot-worker") + +for i in range(14): + setup_worker(application, i) + + From ebea10d242383fbb5d0c5f904e64f9358635213d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Tue, 1 Aug 2023 16:48:49 +0200 Subject: [PATCH 15/83] added buildbot workers --- configurations.nix | 1 + hosts/epyc.nix | 2 ++ modules/buildbot/default.nix | 4 ++-- modules/buildbot/worker.py | 5 ++--- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/configurations.nix b/configurations.nix index 550d0fd..f14c0a0 100644 --- a/configurations.nix +++ b/configurations.nix @@ -36,6 +36,7 @@ let ./modules/network.nix ./modules/zsh.nix ./modules/ssh-cursed.nix + ./modules/buildbot disko.nixosModules.disko diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 805fa33..b41c69a 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -18,6 +18,8 @@ }; }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ]; + simd.arch = "znver3"; system.stateVersion = "23.05"; } diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index 5b0caa5..3691eab 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -28,14 +28,14 @@ in after = [ "network.target" "buildbot-master.service" ]; wantedBy = [ "multi-user.target" ]; path = [ - pkgs.unstable.nix-eval-jobs + pkgs.nix-eval-jobs pkgs.git pkgs.gh pkgs.nix pkgs.nix-output-monitor ]; environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; - environment.MASTER_URL = ''tcp:host=ci.julienmalka.me''; + environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989''; environment.BUILDBOT_DIR = buildbotDir; environment.WORKER_PASSWORD_FILE = "/var/lib/buildbot-worker/password.txt"; diff --git a/modules/buildbot/worker.py b/modules/buildbot/worker.py index a640eff..198dfae 100644 --- a/modules/buildbot/worker.py +++ b/modules/buildbot/worker.py @@ -34,13 +34,12 @@ def setup_worker(application: service.Application, id: int) -> None: allow_shutdown = None s = Worker( - None, - None, + "2a01:e34:ec2a:8e60:8ec7:b5d2:f663:a67a", + 9989, workername, passwd, basedir, keepalive, - connection_string=master_url, umask=umask, maxdelay=maxdelay, numcpus=numcpus, From 81cf3e076932e6430e9ada6f94b9cf07634a603a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 1 Aug 2023 17:00:14 +0200 Subject: [PATCH 16/83] epyc: add riscv64-linux emulation support --- hosts/epyc.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index b41c69a..fda7667 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -4,6 +4,7 @@ ../modules/hardware/supermicro-H12SSL-i.nix ../modules/iperf-server.nix ../modules/hypervisor.nix + ../modules/hydra/coordinator.nix ]; networking.hostName = "epyc"; @@ -18,7 +19,7 @@ }; }; - boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ]; + boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ]; simd.arch = "znver3"; system.stateVersion = "23.05"; From 567b99aa57d4dbf0967dabb6162e37cf46e8db9d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 1 Aug 2023 17:04:03 +0200 Subject: [PATCH 17/83] epyc: add hydra.newtype.fr --- modules/hydra/coordinator.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 modules/hydra/coordinator.nix diff --git a/modules/hydra/coordinator.nix b/modules/hydra/coordinator.nix new file mode 100644 index 0000000..77c1ceb --- /dev/null +++ b/modules/hydra/coordinator.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.hydra = { + enable = true; + hydraURL = "https://hydra.newtype.fr"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = [ ]; + useSubstitutes = true; + }; +} From d9d32e019469e96a0e326ffc42ad306cfd86c04e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 3 Aug 2023 22:56:37 +0200 Subject: [PATCH 18/83] epyc: init hydra settings properly --- hosts/epyc.nix | 16 ++++++++ modules/hydra/coordinator.nix | 76 ++++++++++++++++++++++++++++++++++- modules/nix-daemon.nix | 6 ++- 3 files changed, 95 insertions(+), 3 deletions(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index fda7667..ac0864b 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -1,3 +1,8 @@ +{ lib, ... }: +let + gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ] + ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch}); +in { imports = [ ../modules/ipmi-supermicro.nix @@ -19,6 +24,17 @@ }; }; + nix.buildMachines = [ + { hostName = "localhost"; + systems = [ + "x86_64-linux" + "riscv64-linux" + ]; + supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3"; + maxJobs = 1; + } + ]; + boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ]; simd.arch = "znver3"; diff --git a/modules/hydra/coordinator.nix b/modules/hydra/coordinator.nix index 77c1ceb..55dda02 100644 --- a/modules/hydra/coordinator.nix +++ b/modules/hydra/coordinator.nix @@ -1,9 +1,81 @@ -{ ... }: { +{ pkgs, ... }: { services.hydra = { enable = true; hydraURL = "https://hydra.newtype.fr"; notificationSender = "hydra@localhost"; - buildMachinesFiles = [ ]; + buildMachinesFiles = [ "/etc/nix/machines" ]; useSubstitutes = true; }; + + environment.systemPackages = [ pkgs.nix-prefetch-git ]; + nix.trustedUsers = [ "hydra" "hydra-www" ]; + + services.postgresql = { + enableJIT = true; + settings = { + checkpoint_completion_target = "0.9"; + default_statistics_target = 100; + + max_connections = 500; + work_mem = "20MB"; + maintenance_work_mem = "2GB"; + + shared_buffers = "8GB"; + + min_wal_size = "1GB"; + max_wal_size = "2GB"; + wal_buffers = "16MB"; + + max_worker_processes = 16; + max_parallel_workers_per_gather = 8; + max_parallel_workers = 16; + + # NVMe related performance tuning + effective_io_concurrency = 200; + random_page_cost = "1.1"; + + # We can risk losing some transactions. + synchronous_commit = "off"; + + effective_cache_size = "16GB"; + + # autovacuum and autoanalyze much more frequently: + # at these values vacuum should run approximately + # every 2 mass rebuilds, or a couple times a day + # on the builds table. Some of those queries really + # benefit from frequent vacuums, so this should + # help. In particular, I'm thinking the jobsets + # pages. + autovacuum_vacuum_scale_factor = 0.002; + autovacuum_analyze_scale_factor = 0.001; + + shared_preload_libraries = "pg_stat_statements"; + compute_query_id = "on"; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "ryan@lahfa.xyz"; + }; + + services.nginx = { + enable = true; + + recommendedZstdSettings = true; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation =true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + + services.nginx.virtualHosts."hydra.newtype.fr" = { + forceSSL = true; + enableACME = true; + # TODO: remove compression for some locations + locations."/".proxyPass = "http://localhost:3000"; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index b45d3a8..3120c3d 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -42,13 +42,17 @@ in package = pkgs.nixVersions.nix_2_13; # should be enough? - nrBuildUsers = lib.mkDefault 32; + nrBuildUsers = 128; # https://github.com/NixOS/nix/issues/719 + daemonCPUSchedPolicy = "batch"; + daemonIOSchedClass = "best-effort"; + daemonIOSchedPriority = 5; settings = { keep-outputs = true; keep-derivations = true; + max-jobs = 64; # in zfs we trust fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); substituters = [ From 88873083d509478d3aff3dbd8fa9224220ae645a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 4 Aug 2023 02:52:46 +0200 Subject: [PATCH 19/83] =?UTF-8?q?epyc:=2064=20=E2=86=92=2042=20max=20jobs?= =?UTF-8?q?=20otherwise=20RAM=20explodes=20too=20quickly=20with=20browsers?= =?UTF-8?q?=20and=20whatever?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/nix-daemon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 3120c3d..ab3626e 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -52,7 +52,7 @@ in settings = { keep-outputs = true; keep-derivations = true; - max-jobs = 64; + max-jobs = 42; # 64 is too much, it will explode the RAM for now. Let's keep it serious. # in zfs we trust fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); substituters = [ From 65c58a00bb2547e6a270c0531c018cf523eae94d Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 7 Aug 2023 14:46:46 +0200 Subject: [PATCH 20/83] added attic to buildbot --- flake.nix | 2 ++ modules/buildbot/default.nix | 4 +++- modules/packages.nix | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index a906796..d4b5920 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,8 @@ colmena.url = "github:zhaofengli/colmena"; colmena.inputs.nixpkgs.follows = "nixpkgs"; + attic.url = "github:zhaofengli/attic"; + srvos.url = "github:numtide/srvos"; # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant srvos.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index 3691eab..ae77a56 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, inputs, ... }: with lib; let cfg = config.luj.buildbot; @@ -12,6 +12,7 @@ in #buildbot worker nix.settings.allowed-users = [ "buildbot-worker" ]; + nix.settings.trusted-users = [ "buildbot-worker" ]; users.users.buildbot-worker = { description = "Buildbot Worker User."; isSystemUser = true; @@ -33,6 +34,7 @@ in pkgs.gh pkgs.nix pkgs.nix-output-monitor + inputs.attic.packages.x86_64-linux.attic ]; environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}"; environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989''; diff --git a/modules/packages.nix b/modules/packages.nix index c396d63..5503b6e 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -1,10 +1,11 @@ -{ pkgs, ... }: { +{ pkgs, inputs, ... }: { # this extends the list from: # https://github.com/numtide/srvos/blob/master/server.nix#L10 environment.systemPackages = with pkgs; [ socat whois + inputs.attic.packages.x86_64-linux.attic jq psmisc libarchive From 14ec5cc6fe00ea0f8900a4e063118d9ff396f318 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:20:41 +0200 Subject: [PATCH 21/83] epyc: add nix-top --- modules/packages.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/packages.nix b/modules/packages.nix index 5503b6e..7d84ab0 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -35,6 +35,8 @@ usbutils ipmitool + + nix-top # tries to default to soft-float due to out-dated cc-rs ] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich; } From ada25e575fcb916a27439fcb08bfef72e3be70fe Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:20:45 +0200 Subject: [PATCH 22/83] flake: bump --- flake.lock | 65 +++++++++++++++++++++++++++--------------------------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index ccc75ee..4ef6807 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1684153753, - "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "type": "github" }, "original": { @@ -32,11 +32,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1685163780, - "narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=", + "lastModified": 1688224393, + "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf", + "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", "type": "github" }, "original": { @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1685970051, - "narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=", + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", "owner": "nix-community", "repo": "disko", - "rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", "type": "github" }, "original": { @@ -110,11 +110,11 @@ ] }, "locked": { - "lastModified": 1685662779, - "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -147,11 +147,11 @@ "flake-registry": { "flake": false, "locked": { - "lastModified": 1682423975, - "narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=", + "lastModified": 1689333397, + "narHash": "sha256-g1Nn0sgH/hR/gEAQ1q6bloU+Q+V+Y4HlBBH6CBxC0HM=", "owner": "NixOS", "repo": "flake-registry", - "rev": "8054bfa00d60437297d670ab3296a117e7059a10", + "rev": "5d8dc3eb692809ffd9a2f22cdb8015aa11972905", "type": "github" }, "original": { @@ -219,11 +219,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1690957133, + "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a", "type": "github" }, "original": { @@ -241,11 +241,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1688319245, + "lastModified": 1688428885, "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=", "ref": "main", "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc", - "revCount": 5, + "revCount": 2, "type": "git", "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" }, @@ -257,11 +257,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685952468, - "narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=", + "lastModified": 1691083802, + "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a", + "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", "type": "github" }, "original": { @@ -273,11 +273,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1685938391, - "narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=", + "lastModified": 1691003216, + "narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed", + "rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f", "type": "github" }, "original": { @@ -289,11 +289,11 @@ }, "nur": { "locked": { - "lastModified": 1685980073, - "narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=", + "lastModified": 1691109630, + "narHash": "sha256-NkltnE+ZMABNP7pJVj7ftu/58aTGa5PXxICLr8fjkI4=", "owner": "nix-community", "repo": "NUR", - "rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09", + "rev": "dcd922e7738fc027c73cd2cc110015d38fba9651", "type": "github" }, "original": { @@ -325,11 +325,11 @@ ] }, "locked": { - "lastModified": 1685966850, - "narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=", + "lastModified": 1690557184, + "narHash": "sha256-KMGPz3pP7OoUZaUhgcuYG84CtVaJOQw6RK8J0fAtKt0=", "owner": "numtide", "repo": "srvos", - "rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623", + "rev": "ceed433086a85e5540bd73cff46497af5a09e36f", "type": "github" }, "original": { @@ -379,4 +379,3 @@ "root": "root", "version": 7 } - From 0e8785863ed8fb7dd6cf7b114372a67332fd9827 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:21:32 +0200 Subject: [PATCH 23/83] epyc: nerf it --- modules/nix-daemon.nix | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index ab3626e..760c768 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -1,6 +1,7 @@ { lib , config , pkgs +, inputs , ... }: @@ -29,6 +30,17 @@ in { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } ]; + # Memory accounting techniques + systemd.services.nix-daemon.serviceConfig = { + MemoryAccounting = true; + MemoryMax = "225G"; + MemoryHigh = "220G"; + MemorySwapMax = "2G"; + ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + MemoryPressureWatch = "on"; + }; + nix = { # Garbage-collect often gc.automatic = true; @@ -38,23 +50,21 @@ in # Randomize GC to avoid thundering herd effects. gc.randomizedDelaySec = "1800"; - # 2.11, 2.12 suffers from a bug with remote builders… - package = pkgs.nixVersions.nix_2_13; + # Inchallah, it works. + # package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17; # should be enough? nrBuildUsers = 128; - # https://github.com/NixOS/nix/issues/719 - daemonCPUSchedPolicy = "batch"; - daemonIOSchedClass = "best-effort"; - daemonIOSchedPriority = 5; - settings = { keep-outputs = true; keep-derivations = true; - max-jobs = 42; # 64 is too much, it will explode the RAM for now. Let's keep it serious. - # in zfs we trust - fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs"); + use-cgroups = true; + http-connections = 0; + auto-allocate-uids = true; + cores = 64; # 128 is too much, it will explode the RAM for now. Let's keep it serious. + max-jobs = 2; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix. + fsync-metadata = true; substituters = [ "https://nix-community.cachix.org" "https://tum-dse.cachix.org" @@ -64,6 +74,14 @@ in "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM=" ]; + experimental-features = [ + "auto-allocate-uids" + "ca-derivations" + "cgroups" + "discard-references" + "fetch-closure" + "impure-derivations" + ]; }; }; From 38e86907c81bdf8814e6c4196a2ff1c9a3486140 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:24:09 +0200 Subject: [PATCH 24/83] epyc: maybe we can afford 2 jobs on localhost for Hydra? --- hosts/epyc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index ac0864b..019c5a9 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -31,7 +31,7 @@ in "riscv64-linux" ]; supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3"; - maxJobs = 1; + maxJobs = 2; } ]; From 85154e3d19031fc326eb83777ba6ccf52f659669 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 13 Aug 2023 01:24:14 +0200 Subject: [PATCH 25/83] flake: bump --- flake.lock | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 149 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4ef6807..5f9ac55 100644 --- a/flake.lock +++ b/flake.lock @@ -22,10 +22,32 @@ "type": "github" } }, - "colmena": { + "attic": { "inputs": { + "crane": "crane", "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1689457600, + "narHash": "sha256-1XLn2ZZMaqQx+Ys3eel5hQRkgUn3DeHcVb2JT8WYU0A=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "4902d57f5dae8ec660ee9ee14c45c2192f9fe8b1", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -45,6 +67,36 @@ "type": "github" } }, + "crane": { + "inputs": { + "flake-compat": [ + "attic", + "flake-compat" + ], + "flake-utils": [ + "attic", + "flake-utils" + ], + "nixpkgs": [ + "attic", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677892403, + "narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=", + "owner": "ipetkov", + "repo": "crane", + "rev": "105e27adb70a9890986b6d543a67761cbc1964a2", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -88,6 +140,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -161,6 +229,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -257,16 +340,32 @@ }, "nixpkgs": { "locked": { - "lastModified": 1691083802, - "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", + "lastModified": 1686519857, + "narHash": "sha256-VkBhuq67aXXiCoEmicziuDLUPPjeOTLQoj6OeVai5zM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", + "rev": "6b1b72c0f887a478a5aac355674ff6df0fc44f44", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -287,6 +386,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1691083802, + "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1691109630, @@ -305,6 +420,7 @@ "root": { "inputs": { "agenix": "agenix", + "attic": "attic", "colmena": "colmena", "disko": "disko", "flake-parts": "flake-parts", @@ -312,12 +428,39 @@ "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", "nixos-hypervisor": "nixos-hypervisor", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", "srvos": "srvos" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "attic", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "attic", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1675391458, + "narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ From a812707b62157418a739a748349e34c3d244d153 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 16 Aug 2023 15:22:54 +0200 Subject: [PATCH 26/83] friends: init with ninjatrappeur --- hosts/epyc.nix | 1 + modules/users/friends.nix | 11 +++++++++++ modules/users/keys/ninjaTrappeur.keys | 3 +++ 3 files changed, 15 insertions(+) create mode 100644 modules/users/friends.nix create mode 100644 modules/users/keys/ninjaTrappeur.keys diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 019c5a9..67025ab 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,7 @@ in ../modules/iperf-server.nix ../modules/hypervisor.nix ../modules/hydra/coordinator.nix + ../modules/users/friends.nix ]; networking.hostName = "epyc"; diff --git a/modules/users/friends.nix b/modules/users/friends.nix new file mode 100644 index 0000000..8d5ea3f --- /dev/null +++ b/modules/users/friends.nix @@ -0,0 +1,11 @@ +{ ... }: { + users.users = { + ninjatrappeur = { + isNormalUser = true; + home = "/home/ninjatrappeur"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2000; + openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; + }; + }; +} diff --git a/modules/users/keys/ninjaTrappeur.keys b/modules/users/keys/ninjaTrappeur.keys new file mode 100644 index 0000000..2dd6171 --- /dev/null +++ b/modules/users/keys/ninjaTrappeur.keys @@ -0,0 +1,3 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClF9ko5u4zf0CEvleEeRbo9r6BMNgXEGO/rDNZOEHcKxVaeIi+/xF6ZQ5MZbcmH08lswq32hb1XwXg7Gk+ofUdEvCD/kC/vJijt7IFkardy6BNOSWQJLEf6/BpL3LzDQhi7iZXPF46VYoPVGHBh8fKQaAtOCrhbf/8JutfTwCglEztjoiQxY5b8OMfntjBSl6TJwZPJAoQllbJJz9q90sBetvqx6Y08eqIzsSZw6pznpvivRR+TSKU0EkVYS2y2zBAvPK6oyunj5zi01/FACT+Qn70dUkumZAvcPssbl0hCs/xDLgEL6hCEvoszodyMYVn7HS0KwfUlfiGdNUOFHIl +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzd1XAB7Pc8Tplur5iV3llOXtvlHru8pLtQlbvHzmt1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOE7oDtq+xt5RuvMigDZMeZQODFr5Otz6HCO8wnI80oo From 62e37c45ea5d3347c71223861cad827690d73f6b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 16 Aug 2023 15:32:04 +0200 Subject: [PATCH 27/83] =?UTF-8?q?keys:=20ninjaTrappeur=20=E2=86=92=20ninja?= =?UTF-8?q?trappeur?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/users/keys/{ninjaTrappeur.keys => ninjatrappeur.keys} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/users/keys/{ninjaTrappeur.keys => ninjatrappeur.keys} (100%) diff --git a/modules/users/keys/ninjaTrappeur.keys b/modules/users/keys/ninjatrappeur.keys similarity index 100% rename from modules/users/keys/ninjaTrappeur.keys rename to modules/users/keys/ninjatrappeur.keys From e460e8ca8a9775240399cdb9568a5c979fcfbab0 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 21 Aug 2023 13:57:12 +0200 Subject: [PATCH 28/83] Added nom to packages --- modules/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/packages.nix b/modules/packages.nix index 7d84ab0..45482a8 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -5,6 +5,7 @@ socat whois + nix-output-monitor inputs.attic.packages.x86_64-linux.attic jq psmisc From 6ae5f622fb370c713f9274d5f410745f6ff73bc6 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 21 Aug 2023 13:57:34 +0200 Subject: [PATCH 29/83] removed builbot from trusted users --- modules/buildbot/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index ae77a56..99c7387 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -11,7 +11,7 @@ in { #buildbot worker - nix.settings.allowed-users = [ "buildbot-worker" ]; + # nix.settings.allowed-users = [ "buildbot-worker" ]; nix.settings.trusted-users = [ "buildbot-worker" ]; users.users.buildbot-worker = { description = "Buildbot Worker User."; From 7c1ab12829b55222b65fda2685d304ff8da9276b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 17 Aug 2023 23:37:18 +0200 Subject: [PATCH 30/83] friends: init with linus --- modules/users/friends.nix | 17 ++++++++++++++++- modules/users/keys/linus.keys | 4 ++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 modules/users/keys/linus.keys diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 8d5ea3f..684353f 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -1,11 +1,26 @@ -{ ... }: { +{ ... }: +let + trustedFriendGroups = [ + "production-hydra-db" + ]; +in +{ users.users = { ninjatrappeur = { isNormalUser = true; home = "/home/ninjatrappeur"; shell = "/run/current-system/sw/bin/zsh"; uid = 2000; + extraGroups = trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; }; + linus = { + isNormalUser = true; + home = "/home/linus"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2001; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; + }; }; } diff --git a/modules/users/keys/linus.keys b/modules/users/keys/linus.keys new file mode 100644 index 0000000..59249fb --- /dev/null +++ b/modules/users/keys/linus.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf7hGFfUHhtgYY0G/Dh9isjIxkvUjlAKAMvLIZs5NLXwEfnxDTVZW/ijfF2qDozAmYQHZqbeyhJX7YlO6nYjWRBxqBeqAMHhtu3PkiysSCCUymhJ2uDHUAox+BT8IGE3sCKYIXRdmSFoibgQad9AHsQ6OLoIaNgMV7rspdBcO/CjyCkHN440XhQKz/Sq2SyygI9Qkuz0qDdQOgIraVi//EXDAvij0QXlkmh+3xBJwEqt8Pe1KP9itwvGyzGX/aAheCBSf7HPcLzJUgcWymW6FL4AE0KqNVb8Q8ahaEM5UgbXUCauDON8H4OR1Zngszw128wklwxOr7q5gB++Ks1OQlHMGgiVYZ2wC0DXlx68BKSMNnJRHWCI4r63a3bAWGCqKbcCHpimjPAHisPoaoHffVUaIpj65klj+GkoHAgo/pl0S6o4OqVpOau3Qkn95D1KDbUiE1l0HdgZaRmOKRvTKec1V3tfB2rA83Q1cZCWC5ZSwk3wihYPywMyIo6G8f2M2bFot7k/sS9ZMSle6oZDrc6A8qWnaxMZYbEXdFGy02550vdymshJ9RpSLfK1oBKoKk7yL2hk1UHm6obXYXn/F0KvDr7nAM6gOf9NnOrPHKt14WDb0GsZwNd34g1RCcBUcXewh4ZJOHerzsS2h3D30BNQUNCaF8ZQr6FYXp7v9gnQ== +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3EmXYSXsimS+vlGYtfTkOGuwvkXU0uHd2yYKLOxD2F +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJWYrcu8usyqdLv4XO4i5TPaQhB+lH3Xbu2uz64hQe3 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICDgQA1A1uHJsqLsSLLkuWNlxXrpGRD6Qx11WBbfP+SmAAAAEXNzaDpsaW51c0BiZWl3ZXJr From 69aac159fa460c9a2517832b842fd0288aa9c90c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 18:42:50 +0200 Subject: [PATCH 31/83] epyc: open postgresql publicly --- hosts/epyc.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 67025ab..0b94506 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -17,6 +17,10 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # Open public access to our PostgreSQL. + services.postgresql.enableTCPIP = true; + networking.firewall.allowedTCPPorts = [ 5432 ]; + virtualisation.nvisor.vms = { vm01 = { config = { pkgs, ... }: { From 6eec25d2bbe47fbf81d6c02bcc0f1ba8192e4d7c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 21:17:31 +0200 Subject: [PATCH 32/83] epyc: let authentication remote --- hosts/epyc.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 0b94506..4d9dbbf 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -19,6 +19,9 @@ in # Open public access to our PostgreSQL. services.postgresql.enableTCPIP = true; + services.postgresql.authentication = '' + host hydra-nixos-org hydra_ro ::/0 trust + ''; networking.firewall.allowedTCPPorts = [ 5432 ]; virtualisation.nvisor.vms = { From 6228f5a2df4b48fa73e297f0d316b1d4299d69b1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 23 Aug 2023 13:00:22 +0200 Subject: [PATCH 33/83] epyc: add android cache --- hosts/epyc.nix | 1 + modules/android-cache.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 modules/android-cache.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 4d9dbbf..bf71054 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -10,6 +10,7 @@ in ../modules/iperf-server.nix ../modules/hypervisor.nix ../modules/hydra/coordinator.nix + ../modules/android-cache.nix ../modules/users/friends.nix ]; diff --git a/modules/android-cache.nix b/modules/android-cache.nix new file mode 100644 index 0000000..3fa3110 --- /dev/null +++ b/modules/android-cache.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +let + mirrors = { + "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + }; +in +{ + nix.envVars.ROBOTNIX_GIT_MIRRORS = lib.concatStringsSep "|" (lib.mapAttrsToList (local: remote: "${local}=${remote}") mirrors); + + # Also add local mirrors to nix sandbox exceptions + nix.sandboxPaths = lib.attrValues mirrors; +} From 47e322b416902d4dfce1fed8a40b704f40dc5c94 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 23 Aug 2023 14:58:50 +0200 Subject: [PATCH 34/83] epyc: disable lineageOS for now --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 3fa3110..1aa3e93 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + # "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; }; in { From eff88f398d413dbd3202a449fbfaa0ca96e6ce10 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 24 Aug 2023 23:59:59 +0000 Subject: [PATCH 35/83] keys: gdd quality --- modules/users/keys/gdd.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/gdd.keys b/modules/users/keys/gdd.keys index f176c04..324c5aa 100644 --- a/modules/users/keys/gdd.keys +++ b/modules/users/keys/gdd.keys @@ -1 +1,2 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqnCNhMl5KgERtpFAVUjd11JDsf0uQ/8NY5sj4tnjw5 From 07e223048d31519524c50dfcd13bf8b387f5e703 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Thu, 24 Aug 2023 19:46:52 +0200 Subject: [PATCH 36/83] epyc: add lineageOS again --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 1aa3e93..7689165 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - # "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos"; }; in { From 39134145c046fb3e2568653a40d7adf5a1bbbe2c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 25 Aug 2023 15:06:19 +0200 Subject: [PATCH 37/83] epyc: add linageOS better --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 7689165..3fa3110 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,7 +2,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; - "https://github.com/LineageOS" = "/var/lib/src/lineageos"; + "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; }; in { From 279344c454d0f8c52550ef8f1bc4b11ead1b19a8 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 26 Aug 2023 19:00:04 +0200 Subject: [PATCH 38/83] epyc: add TheMuppets --- modules/android-cache.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 3fa3110..96a2968 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -3,6 +3,7 @@ let mirrors = { "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets"; }; in { From b152bd7826272ab7d9ab117d7fd1f378d3f6e130 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Wed, 6 Sep 2023 11:22:23 +0200 Subject: [PATCH 39/83] added luj x2100 key --- modules/users/keys/luj.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/luj.keys b/modules/users/keys/luj.keys index c9c3829..a95104b 100644 --- a/modules/users/keys/luj.keys +++ b/modules/users/keys/luj.keys @@ -1,4 +1,5 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoYi9YFzovZfwrY3BUA3QqcyBE8gfNTncbs3qqkLbyY ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR From 3dcb366c3b56f93d50b3e526d49cd9b069f3b7a6 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 11 Sep 2023 19:56:06 +0200 Subject: [PATCH 40/83] I need to hydraing --- modules/users/admins.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 2101ef7..877eb09 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -22,7 +22,8 @@ in luj = { isNormalUser = true; home = "/home/luj"; - inherit (config.users.users.raito) extraGroups; + inherit (config.users.users.raito); + extraGroups = extraGroups ++ [ "production-hydra-db" ]; shell = "/run/current-system/sw/bin/zsh"; uid = 1001; openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ]; From 8d57383bc37a3bd246749c5b0072448d5d9068ef Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 12 Sep 2023 14:08:03 +0200 Subject: [PATCH 41/83] epyc: add raito@thorkell in builder --- modules/builder.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/builder.nix b/modules/builder.nix index 5dc80c8..08340ea 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -3,8 +3,8 @@ isNormalUser = true; home = "/home/nix"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE raito@thorkell" ]; uid = 5001; }; From 5a1aa0eef7ba6a4549fdb6a52aa2ac3140ef9db9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 22 Aug 2023 22:14:20 +0200 Subject: [PATCH 42/83] epyc: add garage node --- hosts/epyc.nix | 2 ++ modules/garage.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 modules/garage.nix diff --git a/hosts/epyc.nix b/hosts/epyc.nix index bf71054..128c2e8 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -11,10 +11,12 @@ in ../modules/hypervisor.nix ../modules/hydra/coordinator.nix ../modules/android-cache.nix + ../modules/garage.nix ../modules/users/friends.nix ]; networking.hostName = "epyc"; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/modules/garage.nix b/modules/garage.nix new file mode 100644 index 0000000..8859d9c --- /dev/null +++ b/modules/garage.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: { + services.garage = { + enable = true; + package = pkgs.garage_0_8; + settings = { + db_engine = "lmdb"; + block_size = (10 * 1024 * 1024); # 10MB + replication_mode = "none"; + rpc_bind_addr = "[::1]:3901"; + rpc_public_addr = "[::1]:3901"; + rpc_secret = "f5b8ede0abe0a3d454d96e8b352e29a1d94522b64274d23b256d57482441ccc1"; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::1]:3900"; + root_domain = ".s3.infra.newtype.fr"; + }; + + s3_web = { + bind_addr = "[::1]:3902"; + root_domain = ".web.infra.newtype.fr"; + index = "index.html"; + }; + }; + }; +} From 80099f64aba28d5669af955f08b8d23b6415ecc1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 18 Sep 2023 09:59:14 +0200 Subject: [PATCH 43/83] users/friends: allow linus to be root --- modules/users/friends.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 684353f..afb5437 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -19,7 +19,9 @@ in home = "/home/linus"; shell = "/run/current-system/sw/bin/zsh"; uid = 2001; - extraGroups = trustedFriendGroups; + # Raito: I allowed linus to be root to get some stuff done + # on behalf of me. + extraGroups = [ "wheel" ] ++ trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; }; }; From df7c5aa2f99d4ef3defbd84390461c1487f57e55 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Mon, 18 Sep 2023 15:49:56 +0200 Subject: [PATCH 44/83] luj: key update --- modules/users/keys/luj.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/luj.keys b/modules/users/keys/luj.keys index a95104b..2536b0e 100644 --- a/modules/users/keys/luj.keys +++ b/modules/users/keys/luj.keys @@ -9,4 +9,5 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E= From 1640f74ea96ff85936fb6f59fae13ed4a0e31857 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 22 Sep 2023 16:23:14 +0200 Subject: [PATCH 45/83] epyc: change IPv6 We remove the old legacy tunnel from HE. --- modules/hosts.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/hosts.nix b/modules/hosts.nix index 9a5bc26..e979692 100644 --- a/modules/hosts.nix +++ b/modules/hosts.nix @@ -40,7 +40,7 @@ in # usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain networking.newtype.hosts = { epyc = { - ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8"; + ipv6 = "2001:bc8:38ee:100::500"; }; }; }; From 0d508468e6f057f7b69c1448ae275f6ff5faa76b Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Mon, 18 Sep 2023 11:18:07 +0200 Subject: [PATCH 46/83] garage: add reverse proxy for S3 access from outside TODO: subdomains? --- modules/garage.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/garage.nix b/modules/garage.nix index 8859d9c..be45bfe 100644 --- a/modules/garage.nix +++ b/modules/garage.nix @@ -23,4 +23,15 @@ }; }; }; + + services.nginx = { + enable = true; + virtualHosts."s3.infra.newtype.fr" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3900/"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; } From 4e29b67e2980ce4336c85bb0f6530604479308c0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 6 Dec 2023 10:45:04 +0100 Subject: [PATCH 47/83] raito: key update --- modules/users/keys/raito.keys | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/users/keys/raito.keys b/modules/users/keys/raito.keys index 7a717dd..cda49dd 100644 --- a/modules/users/keys/raito.keys +++ b/modules/users/keys/raito.keys @@ -1,3 +1,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM= From aaef0b57ee3be80ea66b1f534e4aea3aa81998f3 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Fri, 29 Dec 2023 17:54:33 +0100 Subject: [PATCH 48/83] added niklas as friend --- modules/users/admins.nix | 2 +- modules/users/friends.nix | 9 +++++++++ modules/users/keys/niklas.keys | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 modules/users/keys/niklas.keys diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 877eb09..8e5363a 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -66,6 +66,6 @@ in }; }; - nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" ]; + nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "fuckuniklas" ]; }; } diff --git a/modules/users/friends.nix b/modules/users/friends.nix index afb5437..6923709 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -24,5 +24,14 @@ in extraGroups = [ "wheel" ] ++ trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; }; + fuckuniklas = { + isNormalUser = true; + home = "/home/fuckuniklas"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2002; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keyFiles = [ ./keys/niklas.keys ]; + }; + }; } diff --git a/modules/users/keys/niklas.keys b/modules/users/keys/niklas.keys new file mode 100644 index 0000000..69b674c --- /dev/null +++ b/modules/users/keys/niklas.keys @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINHd1ay1FSTHZzE+3XCdUiS5efFmJ9GUvx4+7F5uXVtMAAAABHNzaDo= nikstur From 4b452f8818a9940b572a8d894b219644887414d7 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Mon, 20 Nov 2023 10:16:44 +0100 Subject: [PATCH 49/83] fix(system.autoUpgrade): Use correct URI --- modules/auto-upgrade.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index ef3f0db..399b5e2 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,7 +1,9 @@ { pkgs, ... }: { - system.autoUpgrade.enable = true; - system.autoUpgrade.flake = "git:git.newtype.fr/newtype/newtype-org-configurations"; - system.autoUpgrade.flags = [ "--option" "accept-flake-config" "true" ]; + system.autoUpgrade = { + enable = true; + flake = "git+https://git.newtype.fr/newtype/newtype-org-configurations"; + flags = [ "--option" "accept-flake-config" "true" ]; + }; # add a random jitter so not all machines reboot at the same time. systemd.timers.auto-reboot.timerConfig.RandomizedDelaySec = 60 * 20; From b5f4697ad144008b600d8aea463bdeaf0b16af52 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Thu, 4 Jan 2024 23:34:49 +0100 Subject: [PATCH 50/83] rename niklas --- modules/users/admins.nix | 2 +- modules/users/friends.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 8e5363a..c30fe20 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -66,6 +66,6 @@ in }; }; - nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "fuckuniklas" ]; + nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "niklas" ]; }; } diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 6923709..7914906 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -24,9 +24,9 @@ in extraGroups = [ "wheel" ] ++ trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/linus.keys ]; }; - fuckuniklas = { + niklas = { isNormalUser = true; - home = "/home/fuckuniklas"; + home = "/home/niklas"; shell = "/run/current-system/sw/bin/zsh"; uid = 2002; extraGroups = trustedFriendGroups; From ce2c4ef1802af1fba8e2b957cfe33225f6da1b7a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 5 Jan 2024 18:02:22 +0100 Subject: [PATCH 51/83] epyc: move to latest kernel for snappier performance --- hosts/epyc.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 128c2e8..1c79bf2 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: let gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ] ++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch}); @@ -20,6 +20,9 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # We want to use EEVDF and AMD-related niceties. + boot.kernelPackages = pkgs.linuxPackages_latest; + # Open public access to our PostgreSQL. services.postgresql.enableTCPIP = true; services.postgresql.authentication = '' From 89e64355ea33495d0392526301db805d11ab2dcf Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:12:59 +0100 Subject: [PATCH 52/83] epyc: disable hydra Signed-off-by: Raito Bezarius --- modules/hydra/coordinator.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/hydra/coordinator.nix b/modules/hydra/coordinator.nix index 55dda02..0f28dfd 100644 --- a/modules/hydra/coordinator.nix +++ b/modules/hydra/coordinator.nix @@ -1,6 +1,6 @@ { pkgs, ... }: { services.hydra = { - enable = true; + enable = false; hydraURL = "https://hydra.newtype.fr"; notificationSender = "hydra@localhost"; buildMachinesFiles = [ "/etc/nix/machines" ]; From 495790a1425dff7ecb9a386ceac59e03544d557f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:13:04 +0100 Subject: [PATCH 53/83] android-cache: remove the aosp mirror for now Signed-off-by: Raito Bezarius --- modules/android-cache.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 96a2968..64e161b 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -1,7 +1,7 @@ { lib, ... }: let mirrors = { - "https://android.googlesource.com" = "/var/lib/src/aosp/mirror"; + # "https://android.googlesource.com" = "/mnt/aospaosp/mirror"; "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets"; }; From b5053ab520aa8550e5b169e620d111167a9cf64d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:13:13 +0100 Subject: [PATCH 54/83] nix: clean up various things for upcoming GC Signed-off-by: Raito Bezarius --- modules/nix-daemon.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 760c768..0cad83b 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -57,8 +57,8 @@ in nrBuildUsers = 128; settings = { - keep-outputs = true; - keep-derivations = true; + keep-outputs = false; + keep-derivations = false; use-cgroups = true; http-connections = 0; auto-allocate-uids = true; @@ -76,7 +76,7 @@ in ]; experimental-features = [ "auto-allocate-uids" - "ca-derivations" + # "ca-derivations" this feature is really extremely broken. "cgroups" "discard-references" "fetch-closure" From 3cc55253a4799233bcd495fdf9c677307275bb1c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:18:05 +0100 Subject: [PATCH 55/83] flake: upgrade to 23.11 systems Signed-off-by: Raito Bezarius --- flake.lock | 16 ++++++++-------- flake.nix | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 5f9ac55..12b99b1 100644 --- a/flake.lock +++ b/flake.lock @@ -286,16 +286,16 @@ ] }, "locked": { - "lastModified": 1687871164, - "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=", + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", "owner": "rycee", "repo": "home-manager", - "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", "type": "github" }, "original": { "owner": "rycee", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -388,16 +388,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1691083802, - "narHash": "sha256-bjWTVGskCWR2BdB0Glnj2FyHooNiFThkFBF4oaAMe2s=", + "lastModified": 1706373441, + "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "096c262bbb73d84b8298d81c7daa9890c6ccd6da", + "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index d4b5920..88aaf19 100644 --- a/flake.nix +++ b/flake.nix @@ -10,13 +10,13 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/release-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/release-23.11"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nur.url = "github:nix-community/NUR"; - home-manager.url = "github:rycee/home-manager/release-23.05"; + home-manager.url = "github:rycee/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; From 056f8be2a50e6b0b771d5117389f8139d0704f0a Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:15:22 +0100 Subject: [PATCH 56/83] epyc: disable ninjatrappeur's account Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 7914906..58620aa 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -6,12 +6,14 @@ let in { users.users = { + # Raito: unused since a while, it was made for working on the production database of Hydra. ninjatrappeur = { isNormalUser = true; home = "/home/ninjatrappeur"; shell = "/run/current-system/sw/bin/zsh"; uid = 2000; extraGroups = trustedFriendGroups; + expires = "2024-01-01"; openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; }; linus = { From ed5f2cb13fdb1f9c4ce3827e14ad0c1b2cdc55b2 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 27 Jan 2024 19:15:28 +0100 Subject: [PATCH 57/83] epyc: add flokli account for 3-ish days Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 58620aa..068f799 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -34,6 +34,17 @@ in extraGroups = trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/niklas.keys ]; }; - + # Raito: Temporary account for flokli, disable when he's done with it. + flokli = { + isNormalUser = true; + home = "/home/flokli"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2003; + expires = "2024-02-01"; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli" + ]; + }; }; } From f1692a7287867487b4b133bd936942a2e563596b Mon Sep 17 00:00:00 2001 From: raito Date: Mon, 12 Feb 2024 19:07:59 +0100 Subject: [PATCH 58/83] epyc: re-enable postgresql Signed-off-by: raito --- hosts/epyc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 1c79bf2..8389142 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -24,6 +24,7 @@ in boot.kernelPackages = pkgs.linuxPackages_latest; # Open public access to our PostgreSQL. + services.postgresql.enable = true; services.postgresql.enableTCPIP = true; services.postgresql.authentication = '' host hydra-nixos-org hydra_ro ::/0 trust From c459d2a74422738dfdcc6a1cd88321a09fac1790 Mon Sep 17 00:00:00 2001 From: raito Date: Mon, 12 Feb 2024 19:08:12 +0100 Subject: [PATCH 59/83] epyc: disable buildbot not used Signed-off-by: raito --- configurations.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configurations.nix b/configurations.nix index f14c0a0..6645be4 100644 --- a/configurations.nix +++ b/configurations.nix @@ -36,7 +36,7 @@ let ./modules/network.nix ./modules/zsh.nix ./modules/ssh-cursed.nix - ./modules/buildbot + # FIXME: ./modules/buildbot — whenever you are ready. disko.nixosModules.disko From 84d0cd52c220683d5ac466a703f5ef312a5cb0a9 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 4 Mar 2024 00:59:08 +0100 Subject: [PATCH 60/83] epyc: bump things Signed-off-by: Raito Bezarius --- flake.lock | 168 +++++++++++++++++++++++------------------------------ 1 file changed, 74 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index 12b99b1..c5de10c 100644 --- a/flake.lock +++ b/flake.lock @@ -6,14 +6,15 @@ "home-manager": "home-manager", "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems" }, "locked": { - "lastModified": 1690228878, - "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "lastModified": 1707830867, + "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", "owner": "ryantm", "repo": "agenix", - "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", "type": "github" }, "original": { @@ -31,11 +32,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1689457600, - "narHash": "sha256-1XLn2ZZMaqQx+Ys3eel5hQRkgUn3DeHcVb2JT8WYU0A=", + "lastModified": 1707922053, + "narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=", "owner": "zhaofengli", "repo": "attic", - "rev": "4902d57f5dae8ec660ee9ee14c45c2192f9fe8b1", + "rev": "6eabc3f02fae3683bffab483e614bebfcd476b21", "type": "github" }, "original": { @@ -54,11 +55,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1688224393, - "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -69,26 +70,17 @@ }, "crane": { "inputs": { - "flake-compat": [ - "attic", - "flake-compat" - ], - "flake-utils": [ - "attic", - "flake-utils" - ], "nixpkgs": [ "attic", "nixpkgs" - ], - "rust-overlay": "rust-overlay" + ] }, "locked": { - "lastModified": 1677892403, - "narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=", + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", "owner": "ipetkov", "repo": "crane", - "rev": "105e27adb70a9890986b6d543a67761cbc1964a2", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", "type": "github" }, "original": { @@ -105,11 +97,11 @@ ] }, "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -126,11 +118,11 @@ ] }, "locked": { - "lastModified": 1690739034, - "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", + "lastModified": 1709439398, + "narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=", "owner": "nix-community", "repo": "disko", - "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", + "rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57", "type": "github" }, "original": { @@ -178,11 +170,11 @@ ] }, "locked": { - "lastModified": 1690933134, - "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", + "lastModified": 1709336216, + "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", + "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", "type": "github" }, "original": { @@ -215,11 +207,11 @@ "flake-registry": { "flake": false, "locked": { - "lastModified": 1689333397, - "narHash": "sha256-g1Nn0sgH/hR/gEAQ1q6bloU+Q+V+Y4HlBBH6CBxC0HM=", + "lastModified": 1705308826, + "narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=", "owner": "NixOS", "repo": "flake-registry", - "rev": "5d8dc3eb692809ffd9a2f22cdb8015aa11972905", + "rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd", "type": "github" }, "original": { @@ -266,11 +258,11 @@ ] }, "locked": { - "lastModified": 1682203081, - "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "owner": "nix-community", "repo": "home-manager", - "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "type": "github" }, "original": { @@ -286,11 +278,11 @@ ] }, "locked": { - "lastModified": 1705659542, - "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "owner": "rycee", "repo": "home-manager", - "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", "type": "github" }, "original": { @@ -302,11 +294,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1690957133, - "narHash": "sha256-0Y4CiOIszhHDDXHFmvHUpmhUotKOIn0m3jpMlm6zUTE=", + "lastModified": 1709410583, + "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "24f9162b26f0debd163f6d94752aa2acb9db395a", + "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "type": "github" }, "original": { @@ -340,11 +332,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1686519857, - "narHash": "sha256-VkBhuq67aXXiCoEmicziuDLUPPjeOTLQoj6OeVai5zM=", + "lastModified": 1702539185, + "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6b1b72c0f887a478a5aac355674ff6df0fc44f44", + "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447", "type": "github" }, "original": { @@ -356,27 +348,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1685004253, - "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "lastModified": 1702780907, + "narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1691003216, - "narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=", + "lastModified": 1709356872, + "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f", + "rev": "458b097d81f90275b3fdf03796f0563844926708", "type": "github" }, "original": { @@ -388,11 +380,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1706373441, - "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=", + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "type": "github" }, "original": { @@ -404,11 +396,11 @@ }, "nur": { "locked": { - "lastModified": 1691109630, - "narHash": "sha256-NkltnE+ZMABNP7pJVj7ftu/58aTGa5PXxICLr8fjkI4=", + "lastModified": 1709439575, + "narHash": "sha256-49f8WbTUE4C8VrIxS2DrINOncakhFChcmZ6xccVSfkA=", "owner": "nix-community", "repo": "NUR", - "rev": "dcd922e7738fc027c73cd2cc110015d38fba9651", + "rev": "075c3094d6c6c3fae0e107de41e2367d17341ac4", "type": "github" }, "original": { @@ -434,33 +426,6 @@ "srvos": "srvos" } }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "attic", - "crane", - "flake-utils" - ], - "nixpkgs": [ - "attic", - "crane", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1675391458, - "narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "srvos": { "inputs": { "nixpkgs": [ @@ -468,11 +433,11 @@ ] }, "locked": { - "lastModified": 1690557184, - "narHash": "sha256-KMGPz3pP7OoUZaUhgcuYG84CtVaJOQw6RK8J0fAtKt0=", + "lastModified": 1709301784, + "narHash": "sha256-Yf7HeS2VZCD8kD/wEgnToyt9YqQhCle/9TazmFYnjsE=", "owner": "numtide", "repo": "srvos", - "rev": "ceed433086a85e5540bd73cff46497af5a09e36f", + "rev": "9501896e0edf01d2cbd5fa6f0dbb3aafc00dae81", "type": "github" }, "original": { @@ -483,20 +448,35 @@ }, "stable": { "locked": { - "lastModified": 1669735802, - "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "lastModified": 1696039360, + "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ From 6beda4c58f7206032de6c1e4ededaca0154be98d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 4 Mar 2024 00:59:16 +0100 Subject: [PATCH 61/83] epyc: move to Nix 2.18, remove discard references exp feature Signed-off-by: Raito Bezarius --- modules/nix-daemon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 0cad83b..9ebbe82 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -51,6 +51,7 @@ in gc.randomizedDelaySec = "1800"; # Inchallah, it works. + package = pkgs.nixVersions.nix_2_18; # package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17; # should be enough? @@ -78,7 +79,6 @@ in "auto-allocate-uids" # "ca-derivations" this feature is really extremely broken. "cgroups" - "discard-references" "fetch-closure" "impure-derivations" ]; From 6c0d19e0052ef3d4698b68f146b4e794fe08d5a0 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 4 Mar 2024 00:59:21 +0100 Subject: [PATCH 62/83] epyc: disable all android cache for now Signed-off-by: Raito Bezarius --- modules/android-cache.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/android-cache.nix b/modules/android-cache.nix index 64e161b..1193f37 100644 --- a/modules/android-cache.nix +++ b/modules/android-cache.nix @@ -2,8 +2,8 @@ let mirrors = { # "https://android.googlesource.com" = "/mnt/aospaosp/mirror"; - "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; - "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets"; + # "https://github.com/LineageOS" = "/var/lib/src/lineageos/LineageOS"; + # "https://github.com/TheMuppets" = "/var/lib/src/themuppets/TheMuppets"; }; in { From 0c4334571c8f4cd35958caa3db8ab6e9d9b2b042 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 4 Mar 2024 00:59:45 +0100 Subject: [PATCH 63/83] builder: add top secret's project buildbot key The cgroup will be nerfed and noise should be low, ping me if something goes wrong. Signed-off-by: Raito Bezarius --- modules/builder.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/builder.nix b/modules/builder.nix index 08340ea..7c3ff3e 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -5,6 +5,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE raito@thorkell" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu4cEqZzAI/1vZjSQkTJ4ijIg9nuloOuSKUrnkJIOFn buildbot@top-secret" # Top secret's project buildbot key ]; uid = 5001; }; From d3505a8b2dac7de78f7683a23ef3d0c34f60c70e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 4 Mar 2024 01:28:44 +0100 Subject: [PATCH 64/83] docs: update Signed-off-by: Raito Bezarius --- docs/epyc.lstopo.svg | 110 ++++++++++++++++++++++--------------------- docs/epyc.md | 94 ++++++++++++++++++------------------ 2 files changed, 106 insertions(+), 98 deletions(-) diff --git a/docs/epyc.lstopo.svg b/docs/epyc.lstopo.svg index 6c0d2ec..4b13ca6 100644 --- a/docs/epyc.lstopo.svg +++ b/docs/epyc.lstopo.svg @@ -1,7 +1,7 @@ - - - Machine (126GB total) + + + Machine (252GB total) Package L#0 @@ -153,18 +153,18 @@ PU L#127 P#127 - NUMANode L#0 P#0 (126GB) + NUMANode L#0 P#0 (252GB) 7.9 - 4.0 - - 0.2 - - 1.0 - + 3.9 + + 0.2 + + 1.0 + @@ -178,52 +178,56 @@ + 3.9 - - PCI 43:00.0 - - - - 0.2 - - - - - - - PCI 46:00.0 - - - - 1.0 - - 1.0 - - - PCI 48:00.0 - - Net eno1 - - PCI 48:00.1 - - Net eno2 + + PCI 42:00.0 + + Block nvme1n1 + 3726 GB + + + + 0.2 + + + + + + + PCI 45:00.0 + + + + 1.0 + + 1.0 + + + PCI 47:00.0 + + Net nat-lan + + PCI 47:00.1 + + Net wan MemoryModule MemoryModule - - MemoryModule - - MemoryModule - - MemoryModule - - MemoryModule - - MemoryModule - - MemoryModule - - Host: epyc - Date: Mon 05 Jun 2023 03:19:33 PM UTC + + MemoryModule + + MemoryModule + + MemoryModule + + MemoryModule + + MemoryModule + + MemoryModule + + Host: epyc + Date: Mon 04 Mar 2024 12:28:26 AM UTC diff --git a/docs/epyc.md b/docs/epyc.md index bd39c52..e26978d 100644 --- a/docs/epyc.md +++ b/docs/epyc.md @@ -1,20 +1,25 @@ # epyc ``` -System: Host: epyc Kernel: 6.1.31 x86_64 bits: 64 compiler: gcc v: 12.2.0 - parameters: initrd=\efi\nixos\11cjvasd1nh1dk783alsa14v4w00d467-initrd-linux-6.1.31-initrd.efi - init=/nix/store/9lnrp5ryf7gh3j94q8xn39zyl21kaw9f-nixos-system-epyc-23.05.419.3a70dd92993/init +System: Host: epyc Kernel: 6.7.7 x86_64 bits: 64 compiler: gcc v: 12.3.0 + parameters: initrd=\efi\nixos\48dkb2vcxwmxxfk7wpl0qx884ibz5gk5-initrd-linux-6.7.7-initrd.efi + init=/nix/store/vz6r23gya5q3b8lr1yiadkv6h5lcjmmz-nixos-system-epyc-23.11pre-git/init + console=tty0 console=ttyS0,115200 pci=realloc console=ttyS1,115200n8 console=tty1 loglevel=4 - Console: N/A Distro: NixOS 23.05 (Stoat) + Console: N/A Distro: NixOS 23.11 (Tapir) Machine: Type: Server System: Supermicro product: Super Server v: 0123456789 serial: 0123456789 Chassis: type: 17 v: 0123456789 serial: 0123456789 Mobo: Supermicro model: H12SSL-i v: 1.01 serial: WM21AS601818 UEFI: American Megatrends v: 2.4 date: 04/14/2022 -Memory: RAM: total: 125.64 GiB used: 2.32 GiB (1.8%) +Memory: RAM: total: 251.54 GiB used: 4.56 GiB (1.8%) Array-1: capacity: 4 TiB note: check slots: 8 EC: Multi-bit ECC max-module-size: 512 GiB note: est. - Device-1: DIMMA1 size: No Module Installed - Device-2: DIMMB1 size: No Module Installed + Device-1: DIMMA1 size: 64 GiB speed: 3200 MT/s type: DDR4 + detail: synchronous registered (buffered) bus-width: 64 bits total: 72 bits + manufacturer: Samsung part-no: M393A8G40AB2-CWE serial: H0S100013847D8748B + Device-2: DIMMB1 size: 64 GiB speed: 3200 MT/s type: DDR4 + detail: synchronous registered (buffered) bus-width: 64 bits total: 72 bits + manufacturer: Samsung part-no: M393A8G40AB2-CWE serial: H0MK00013847D79D40 Device-3: DIMMC1 size: 64 GiB speed: 3200 MT/s type: DDR4 detail: synchronous registered (buffered) bus-width: 64 bits total: 72 bits manufacturer: Samsung part-no: M393A8G40AB2-CWE serial: Y10R120249249E38E1 @@ -27,7 +32,7 @@ Memory: RAM: total: 125.64 GiB used: 2.32 GiB (1.8%) Device-8: DIMMH1 size: No Module Installed PCI Slots: Slot: 1 type: x16 PCI Express 4 x16 CPU SLOT1 PCI-E 4.0 X16 status: Available length: Long - Slot: 2 type: x8 PCI Express 4 x8 CPU SLOT2 PCI-E 4.0 X8 status: In Use length: Long + Slot: 2 type: x8 PCI Express 4 x8 CPU SLOT2 PCI-E 4.0 X8 status: Available length: Long Slot: 3 type: x16 PCI Express 4 x16 CPU SLOT3 PCI-E 4.0 X16 status: Available length: Long Slot: 4 type: x8 PCI Express 4 x8 CPU SLOT4 PCI-E 4.0 X8 status: Available length: Long @@ -40,16 +45,16 @@ PCI Slots: Slot: 1 type: x16 PCI Express 4 x16 CPU SLOT1 PCI-E 4.0 X16 status: A Slot: N/A type: x4 M.2 Socket 3 PCI-E M.2-M1 status: Available length: Short Slot: N/A type: x4 M.2 Socket 3 PCI-E M.2-M2 status: Available length: Short CPU: Info: 64-Core model: AMD EPYC 7763 socket: SP3 bits: 64 type: MT MCP arch: Zen 3 - family: 19 (25) model-id: 1 stepping: 1 microcode: A0011CE cache: L1: 4 MiB L2: 32 MiB + family: 19 (25) model-id: 1 stepping: 1 microcode: A0011D3 cache: L1: 4 MiB L2: 32 MiB L3: 256 MiB - flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 627203 + flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 627200 Speed: 2450 MHz min/max: 1500/2450 MHz base/boost: 2450/3525 boost: enabled volts: 1.1 V ext-clock: 100 MHz Core speeds (MHz): 1: 2450 2: 2450 3: 2450 4: 2450 5: 2450 6: 2450 7: 2450 8: 2450 9: 2450 10: 2450 11: 2450 12: 2450 13: 2450 14: 2450 - 15: 2450 16: 2450 17: 2450 18: 2450 19: 2450 20: 2450 21: 1799 22: 2450 23: 2450 + 15: 2450 16: 2450 17: 2450 18: 2450 19: 2450 20: 2450 21: 2450 22: 2450 23: 2450 24: 2450 25: 2450 26: 2450 27: 2450 28: 2450 29: 2450 30: 2450 31: 2450 32: 2450 33: 2450 34: 2450 35: 2450 36: 2450 37: 2450 38: 2450 39: 2450 40: 2450 41: 2450 - 42: 2450 43: 2450 44: 3525 45: 2450 46: 2450 47: 2450 48: 2450 49: 2450 50: 2450 + 42: 2450 43: 2450 44: 2450 45: 3525 46: 2450 47: 2450 48: 2450 49: 2450 50: 2450 51: 2450 52: 2450 53: 2450 54: 2450 55: 2450 56: 2450 57: 2450 58: 2450 59: 2450 60: 2450 61: 2450 62: 2450 63: 2450 64: 2450 65: 2450 66: 2450 67: 2450 68: 2450 69: 2450 70: 2450 71: 2450 72: 2450 73: 2450 74: 2450 75: 2450 76: 2450 77: 2450 @@ -57,14 +62,16 @@ CPU: Info: 64-Core model: AMD EPYC 7763 socket: SP3 bits: 64 type: MT MCP 87: 2450 88: 2450 89: 2450 90: 2450 91: 2450 92: 2450 93: 2450 94: 2450 95: 2450 96: 2450 97: 2450 98: 2450 99: 2450 100: 2450 101: 2450 102: 2450 103: 2450 104: 2450 105: 2450 106: 2450 107: 2450 108: 2450 109: 2450 110: 2450 111: 2450 112: 2450 - 113: 2450 114: 2450 115: 2450 116: 2450 117: 2450 118: 1799 119: 2450 120: 2450 + 113: 2450 114: 2450 115: 2450 116: 2450 117: 2450 118: 2450 119: 2450 120: 2450 121: 2450 122: 2450 123: 2450 124: 2450 125: 2450 126: 2450 127: 2450 128: 2450 - Vulnerabilities: Type: itlb_multihit status: Not affected + Vulnerabilities: Type: gather_data_sampling status: Not affected + Type: itlb_multihit status: Not affected Type: l1tf status: Not affected Type: mds status: Not affected Type: meltdown status: Not affected Type: mmio_stale_data status: Not affected Type: retbleed status: Not affected + Type: spec_rstack_overflow mitigation: Safe RET Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: always-on, @@ -72,50 +79,47 @@ CPU: Info: 64-Core model: AMD EPYC 7763 socket: SP3 bits: 64 type: MT MCP Type: srbds status: Not affected Type: tsx_async_abort status: Not affected Graphics: Device-1: ASPEED Graphics Family vendor: Super Micro H12SSL-i driver: ast v: kernel - bus-ID: 46:00.0 chip-ID: 1a03:2000 class-ID: 0300 + bus-ID: 45:00.0 chip-ID: 1a03:2000 class-ID: 0300 Display: server: No display server data found. Headless machine? tty: N/A Message: Advanced graphics data unavailable in console for root. Audio: Message: No device data found. -Network: Device-1: Intel 82599ES 10-Gigabit SFI/SFP+ Network driver: N/A modules: ixgbe - port: 1000 bus-ID: 43:00.0 chip-ID: 8086:10fb class-ID: 0200 +Network: Device-1: Broadcom NetXtreme BCM5720 Gigabit Ethernet PCIe vendor: Super Micro H12SSL-i + driver: tg3 v: kernel port: N/A bus-ID: 47:00.0 chip-ID: 14e4:165f class-ID: 0200 + IF: nat-lan state: up speed: 1000 Mbps duplex: full mac: 3c:ec:ef:7e:bd:c8 + IP v4: 10.32.65.13/20 type: dynamic scope: global + IP v6: fe80::3eec:efff:fe7e:bdc8/64 virtual: proto kernel_ll scope: link Device-2: Broadcom NetXtreme BCM5720 Gigabit Ethernet PCIe vendor: Super Micro H12SSL-i - driver: tg3 v: kernel port: 2000 bus-ID: 48:00.0 chip-ID: 14e4:165f class-ID: 0200 - IF: eno1 state: up speed: 1000 Mbps duplex: full mac: 3c:ec:ef:7e:bd:c8 - IP v4: 10.32.65.13/20 type: dynamic noprefixroute scope: global broadcast: 10.32.79.255 - IP v6: fe80::3eec:efff:fe7e:bdc8/64 scope: link - Device-3: Broadcom NetXtreme BCM5720 Gigabit Ethernet PCIe vendor: Super Micro H12SSL-i - driver: tg3 v: kernel port: 2000 bus-ID: 48:00.1 chip-ID: 14e4:165f class-ID: 0200 - IF: eno2 state: up speed: 1000 Mbps duplex: full mac: 3c:ec:ef:7e:bd:c9 - IP v4: 169.254.249.6/16 type: noprefixroute scope: global broadcast: 169.254.255.255 - IP v6: 2001:470:ca5e:dee:587c:7a50:f36c:cae8/64 type: temporary dynamic scope: global - IP v6: 2001:470:ca5e:dee:3eec:efff:fe7e:bdc9/64 type: dynamic mngtmpaddr noprefixroute - scope: global - IP v6: fe80::3eec:efff:fe7e:bdc9/64 scope: link - IF-ID-1: enp74s0f3u1u2c2 state: unknown speed: -1 duplex: half mac: be:3a:f2:b6:05:9f - IP v4: 169.254.3.1/24 type: dynamic noprefixroute scope: global - broadcast: 169.254.3.255 - IP v6: fe80::bc3a:f2ff:feb6:59f/64 scope: link + driver: tg3 v: kernel port: N/A bus-ID: 47:00.1 chip-ID: 14e4:165f class-ID: 0200 + IF: wan state: up speed: 1000 Mbps duplex: full mac: 3c:ec:ef:7e:bd:c9 + IP v6: 2001:bc8:38ee:100::500/128 scope: global + IP v6: fe80::3eec:efff:fe7e:bdc9/64 virtual: proto kernel_ll scope: link + IF-ID-1: enp73s0f3u1u2c2 state: down mac: be:3a:f2:b6:05:9f WAN IP: 82.65.118.1 Bluetooth: Device-1: Insyde RNDIS/Ethernet Gadget type: USB driver: rndis_host v: kernel bus-ID: 7-1.2:4 chip-ID: 0b1f:03ee class-ID: 0a00 Report: This feature requires one of these tools: hciconfig/bt-adapter -Drives: Local Storage: total: 6.19 TiB used: 2.08 GiB (0.0%) - ID-1: /dev/nvme0n1 maj-min: 259:1 vendor: Samsung model: MZWLJ7T6HALA-00AU3 +Drives: Local Storage: total: 9.82 TiB used: 1.06 TiB (10.7%) + ID-1: /dev/nvme0n1 maj-min: 259:2 vendor: Samsung model: MZWLJ7T6HALA-00AU3 size: 6.19 TiB block-size: physical: 512 B logical: 512 B rotation: SSD - serial: S5RTNG0T110589 rev: EPK96R5Q temp: 44 Celsius C scheme: GPT - SMART: yes health: PASSED on: 24 hrs cycles: 44 read-units: 1,449,016 [741 GB] - written-units: 13,364,537 [6.84 TB] -Partition: ID-1: / raw-size: 6.18 TiB size: 6.18 TiB (100.00%) used: 2.04 GiB (0.0%) fs: btrfs + serial: S5RTNG0T110589 rev: EPK96R5Q temp: 40 Celsius C scheme: GPT + SMART: yes health: PASSED on: 273d 5h cycles: 113 read-units: 192,543,495 [98.5 TB] + written-units: 258,494,659 [132 TB] + ID-2: /dev/nvme1n1 maj-min: 259:0 vendor: Intel model: SSDPE2KX040T8 size: 3.64 TiB + block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 rotation: SSD + serial: PHLJ940301WZ4P0DGN rev: VDV10131 temp: 33 Celsius C + SMART: yes health: PASSED on: 2y 188d 9h cycles: 36 read-units: 9,478,214,631 [4.85 PB] + written-units: 9,225,614,032 [4.72 PB] +Partition: ID-1: / raw-size: 6.18 TiB size: 6.18 TiB (100.00%) used: 1.06 TiB (17.1%) fs: btrfs block-size: 4096 B dev: /dev/dm-0 maj-min: 254:0 mapped: nixroot - ID-2: /boot raw-size: 1023 MiB size: 1021 MiB (99.80%) used: 37 MiB (3.6%) fs: vfat - block-size: 512 B dev: /dev/nvme0n1p1 maj-min: 259:2 + ID-2: /boot raw-size: 1023 MiB size: 1021 MiB (99.80%) used: 23.9 MiB (2.3%) fs: vfat + block-size: 512 B dev: /dev/nvme0n1p1 maj-min: 259:3 Swap: Kernel: swappiness: 60 (default) cache-pressure: 100 (default) ID-1: swap-1 type: partition size: 8 GiB used: 0 KiB (0.0%) priority: -2 - dev: /dev/nvme0n1p2 maj-min: 259:3 + dev: /dev/nvme0n1p2 maj-min: 259:4 Sensors: Message: No ipmi sensor data found. Message: No sensor data found. Is lm-sensors configured? -Info: Processes: 1010 Uptime: 20h 25m wakeups: 0 Init: systemd v: 253 - target: multi-user.target tool: systemctl Compilers: gcc: 12.2.0 Packages: - nix-default: 0 nix-sys: 268 lib: 47 nix-usr: 0 Client: Sudo v: 1.9.13p3 inxi: 3.3.04 +Info: Processes: 1226 Uptime: N/A wakeups: 0 Init: systemd v: 254 target: multi-user.target + tool: systemctl Compilers: gcc: 12.3.0 Packages: nix-default: 0 nix-sys: 415 lib: 65 + nix-usr: 0 Client: Sudo v: 1.9.15p2 inxi: 3.3.04 ``` ![hardware topology](epyc.lstopo.svg) From 79dadb7e23d6b67dac983855fe6341e800af8022 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 24 Mar 2024 21:39:13 +0100 Subject: [PATCH 65/83] friends: add jade until 1st April Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 068f799..13cb774 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -46,5 +46,20 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli" ]; }; + # Raito: Temporary account for jade, for benchmarking stuff. + jade = { + isNormalUser = true; + home = "/home/jade"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2004; + expires = "2024-04-01"; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKYljH8iPMrH00lOb3ETxRrZimdKzPPEdsJQ5D5ovtOwAAAACnNzaDpzc2hrZXk= ssh:sshkey" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO4idMfdJxDJuBNOid60d4I+qxj09RHt+YkCYV2eXt6tGrEXg+S8hTQusy/SqooiXUH9pt4tea2RuBPN9+UwrH0= type-a yubikey slot 9a" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGIBMfUypLctmorlRz9xIzXRgmtqDMxF5T5Fxy4JxNb root@tail-bot" + ]; + }; }; } From aab6b67cccf833ab85458247315c2aec3ea5114d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 24 Mar 2024 22:45:42 +0100 Subject: [PATCH 66/83] trusted-users: add jade Signed-off-by: Raito Bezarius --- modules/users/admins.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/admins.nix b/modules/users/admins.nix index c30fe20..3fe7c52 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -66,6 +66,6 @@ in }; }; - nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "niklas" ]; + nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "niklas" "jade" ]; }; } From a8b450dd567d8f1b003b7637702cd7f582808781 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 27 Mar 2024 16:33:35 +0100 Subject: [PATCH 67/83] friends: add winterqt until 1st May until final validation Signed-off-by: Raito Bezarius --- modules/builder.nix | 1 + modules/users/admins.nix | 2 +- modules/users/friends.nix | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/builder.nix b/modules/builder.nix index 7c3ff3e..7c691c8 100644 --- a/modules/builder.nix +++ b/modules/builder.nix @@ -6,6 +6,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ raito@thors" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF07Sy0O+oletFYlrfS0+XtBWJO2F+Rc9J/ocNLBa/OE raito@thorkell" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu4cEqZzAI/1vZjSQkTJ4ijIg9nuloOuSKUrnkJIOFn buildbot@top-secret" # Top secret's project buildbot key + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" # winterqt ]; uid = 5001; }; diff --git a/modules/users/admins.nix b/modules/users/admins.nix index 3fe7c52..e3ae6ea 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -66,6 +66,6 @@ in }; }; - nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "niklas" "jade" ]; + nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" "niklas" "jade" "winter" ]; }; } diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 13cb774..e76daf0 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -61,5 +61,18 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGIBMfUypLctmorlRz9xIzXRgmtqDMxF5T5Fxy4JxNb root@tail-bot" ]; }; + # Raito: Account for winter, she was the one in charge of the Darwin build box for a while, + # helped a bunch of people and deserve it :-). + winter = { + isNormalUser = true; + home = "/home/winter"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2005; + expires = "2024-05-01"; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" + ]; + }; }; } From 86cff4e34f065a615b915abaa938f5881d1e214b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 27 Mar 2024 16:38:45 +0100 Subject: [PATCH 68/83] friends: cleanup ninjatrappeur, flokli account Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index e76daf0..910cc6f 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -5,17 +5,8 @@ let ]; in { + # deleted users: ninjatrappeur, flokli users.users = { - # Raito: unused since a while, it was made for working on the production database of Hydra. - ninjatrappeur = { - isNormalUser = true; - home = "/home/ninjatrappeur"; - shell = "/run/current-system/sw/bin/zsh"; - uid = 2000; - extraGroups = trustedFriendGroups; - expires = "2024-01-01"; - openssh.authorizedKeys.keyFiles = [ ./keys/ninjatrappeur.keys ]; - }; linus = { isNormalUser = true; home = "/home/linus"; @@ -34,18 +25,6 @@ in extraGroups = trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/niklas.keys ]; }; - # Raito: Temporary account for flokli, disable when he's done with it. - flokli = { - isNormalUser = true; - home = "/home/flokli"; - shell = "/run/current-system/sw/bin/zsh"; - uid = 2003; - expires = "2024-02-01"; - extraGroups = trustedFriendGroups; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli" - ]; - }; # Raito: Temporary account for jade, for benchmarking stuff. jade = { isNormalUser = true; From 177351f7ee721705bf22a1407315ca8287fc1639 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 8 Apr 2024 09:39:11 +0200 Subject: [PATCH 69/83] friends: bump jade until 1st May Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 910cc6f..dfcb1e4 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -31,7 +31,7 @@ in home = "/home/jade"; shell = "/run/current-system/sw/bin/zsh"; uid = 2004; - expires = "2024-04-01"; + expires = "2024-05-01"; extraGroups = trustedFriendGroups; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa" From 8596f1481f7a97b7e8d3993ccdbe32ebd96e2185 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Tue, 30 Apr 2024 16:56:04 +0200 Subject: [PATCH 70/83] feat: i need to debug Heads. i yes no. Signed-off-by: Raito Bezarius --- hosts/epyc.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 8389142..0e27c41 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -20,6 +20,11 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + virtualisation.docker = { + enable = true; + rootless.enable = true; + }; + # We want to use EEVDF and AMD-related niceties. boot.kernelPackages = pkgs.linuxPackages_latest; From 620375662bb7beddf6ee7cb3750c1343707ab6fd Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 12 May 2024 02:59:50 +0200 Subject: [PATCH 71/83] feat: make jade account permanent Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index dfcb1e4..89f696e 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -31,7 +31,7 @@ in home = "/home/jade"; shell = "/run/current-system/sw/bin/zsh"; uid = 2004; - expires = "2024-05-01"; + expires = "2060-05-01"; extraGroups = trustedFriendGroups; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNldAg4t13/i69TD786The+U3wbiNUdW2Kc9KNWvEhgpf4y4x4Sft0oYfkPw5cjX4H3APqfD+b7ItAG0GCbwHw6KMYPoVMNK08zBMJUqt1XExbqGeFLqBaeqDsmEAYXJRbjMTAorpOCtgQdoCKK/DvZ51zUWXxT8UBNHSl19Ryv5Ry5VVdbAE35rqs57DQ9+ma6htXnsBEmmnC+1Zv1FE956m/OpBTId50mor7nS2FguAtPZnDPpTd5zl9kZmJEuWCrmy6iinw5V4Uy1mLeZkQv+/FtozbyifCRCvps9nHpv4mBSU5ABLgnRRvXs+D41Jx7xloNADr1nNgpsNrYaTh hed-bot-ssh-tpm-rsa" From 0e1ec7f6b584310a4b6054e349002b6db3b64412 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 13 May 2024 22:49:18 +0200 Subject: [PATCH 72/83] feat: add pennae as permanent account Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 89f696e..5a2a1cd 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -53,5 +53,17 @@ in "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" ]; }; + # Raito: Permanent account for pennae, they are doing a bunch of excellent Nix work (including performance). + pennae = { + isNormalUser = true; + home = "/home/pennae"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2006; + extraGroups = trustedFriendGroups; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo=" + ]; + }; }; } From 785fe6d92fc5171d971499adeec36e39b6e1e1c1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 13 May 2024 22:50:31 +0200 Subject: [PATCH 73/83] fix: make jade permanent as discussed Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 5a2a1cd..50df922 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -25,7 +25,8 @@ in extraGroups = trustedFriendGroups; openssh.authorizedKeys.keyFiles = [ ./keys/niklas.keys ]; }; - # Raito: Temporary account for jade, for benchmarking stuff. + # Raito: Permanent account for Jade who has been driving a lot of good work. + # expires = 2060 because of a convergence bug, I cannot remove the expiration date anymore. jade = { isNormalUser = true; home = "/home/jade"; From 7d3f9a05331767b11920315be95bcd678658d7eb Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 13 May 2024 22:50:20 +0200 Subject: [PATCH 74/83] fix: make winter permanent as discussed Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 50df922..62fcbe7 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -41,14 +41,15 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGIBMfUypLctmorlRz9xIzXRgmtqDMxF5T5Fxy4JxNb root@tail-bot" ]; }; - # Raito: Account for winter, she was the one in charge of the Darwin build box for a while, + # Raito: Permanent account for winter, she was the one in charge of the Darwin build box for a while, # helped a bunch of people and deserve it :-). + # expires = 2060 because of a convergence bug, I cannot remove the expiration date anymore. winter = { isNormalUser = true; home = "/home/winter"; shell = "/run/current-system/sw/bin/zsh"; uid = 2005; - expires = "2024-05-01"; + expires = "2060-05-01"; extraGroups = trustedFriendGroups; openssh.authorizedKeys.keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIH/LDRUG+U+++UmlxvA2kspioTjktQZ8taDcHq8gVlkfAAAABHNzaDo=" From 7d83f696dd74ebff39bd97fff2f2c5d39df9a770 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 20 May 2024 17:39:16 +0200 Subject: [PATCH 75/83] feat: remove hypervisor and bump to jobserver branch Signed-off-by: Raito Bezarius --- configurations.nix | 6 ---- flake.lock | 78 ++++-------------------------------------- flake.nix | 6 ++-- hosts/epyc.nix | 8 ----- modules/hypervisor.nix | 3 -- 5 files changed, 9 insertions(+), 92 deletions(-) diff --git a/configurations.nix b/configurations.nix index 6645be4..5c77292 100644 --- a/configurations.nix +++ b/configurations.nix @@ -8,7 +8,6 @@ let nur colmena flake-registry - nixos-hypervisor nixos-hardware nixpkgs-unstable srvos @@ -45,8 +44,6 @@ let srvos.nixosModules.mixins-trusted-nix-caches srvos.nixosModules.mixins-terminfo - nixos-hypervisor.nixosModules.host - # srvos.nixosModules.mixins-telegraf # srvos.nixosModules.mixins-terminfo @@ -108,9 +105,6 @@ in flake.colmena = { meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; - overlays = [ - nixos-hypervisor.overlays.default - ]; }; epyc = { imports = diff --git a/flake.lock b/flake.lock index c5de10c..0c1856a 100644 --- a/flake.lock +++ b/flake.lock @@ -183,27 +183,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nixos-hypervisor", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1687762428, - "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-registry": { "flake": false, "locked": { @@ -307,29 +286,6 @@ "type": "github" } }, - "nixos-hypervisor": { - "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1688428885, - "narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=", - "ref": "main", - "rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc", - "revCount": 2, - "type": "git", - "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor" - } - }, "nixpkgs": { "locked": { "lastModified": 1702539185, @@ -380,16 +336,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1709428628, - "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", - "owner": "NixOS", + "lastModified": 1716155578, + "narHash": "sha256-+ocwkKmur5q8MJpm8ao0O2wdbMYBxPtFDrCvjqnkZYA=", + "owner": "pennae", "repo": "nixpkgs", - "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "rev": "093d16ae7a4c6b5f215152972a223b9fbcd3343a", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "release-23.11", + "owner": "pennae", + "ref": "stdenv-jobserver", "repo": "nixpkgs", "type": "github" } @@ -419,7 +375,6 @@ "flake-registry": "flake-registry", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", - "nixos-hypervisor": "nixos-hypervisor", "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", @@ -476,27 +431,6 @@ "repo": "default", "type": "github" } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixos-hypervisor", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688026376, - "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 88aaf19..c52f6dd 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/release-23.11"; + nixpkgs.url = "github:pennae/nixpkgs/stdenv-jobserver"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware"; @@ -33,8 +33,8 @@ # Ryan's experimental hypervisor based on cloud-hypervisor # Private repository, you need a valid SSH key to access it - nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main"; - nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs"; + # nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main"; + # nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs"; flake-registry.url = "github:NixOS/flake-registry"; flake-registry.flake = false; diff --git a/hosts/epyc.nix b/hosts/epyc.nix index 0e27c41..f84a8f4 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -36,14 +36,6 @@ in ''; networking.firewall.allowedTCPPorts = [ 5432 ]; - virtualisation.nvisor.vms = { - vm01 = { - config = { pkgs, ... }: { - environment.systemPackages = [ pkgs.hello ]; - }; - }; - }; - nix.buildMachines = [ { hostName = "localhost"; systems = [ diff --git a/modules/hypervisor.nix b/modules/hypervisor.nix index 2b11b5c..4b2c5c4 100644 --- a/modules/hypervisor.nix +++ b/modules/hypervisor.nix @@ -1,5 +1,2 @@ { ... }: { - virtualisation.nvisor = { - enable = true; - }; } From 45d660deb5117db00b9918e2c0201b1874d0cc99 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 20 May 2024 17:39:23 +0200 Subject: [PATCH 76/83] feat: enable jobserver and cores = 0; Signed-off-by: Raito Bezarius --- modules/nix-daemon.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 9ebbe82..b30d12d 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -30,6 +30,9 @@ in { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } ]; + # Makes the computer go faster. + nixos.jobserver.enable = true; + # Memory accounting techniques systemd.services.nix-daemon.serviceConfig = { MemoryAccounting = true; @@ -63,7 +66,7 @@ in use-cgroups = true; http-connections = 0; auto-allocate-uids = true; - cores = 64; # 128 is too much, it will explode the RAM for now. Let's keep it serious. + cores = 0; max-jobs = 2; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix. fsync-metadata = true; substituters = [ From c06bedc73ca434f4549271cdce01112cac63022f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 22 May 2024 13:26:07 +0200 Subject: [PATCH 77/83] feat: add pennae as root and bump jobserver Signed-off-by: Raito Bezarius --- flake.lock | 8 ++++---- flake.nix | 2 +- modules/users/friends.nix | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0c1856a..74d34c3 100644 --- a/flake.lock +++ b/flake.lock @@ -336,17 +336,17 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1716155578, - "narHash": "sha256-+ocwkKmur5q8MJpm8ao0O2wdbMYBxPtFDrCvjqnkZYA=", + "lastModified": 1716330751, + "narHash": "sha256-JLvLi84gRMwgF9DumUwiOUA5UciXf9e2Aaa07sKx4Y0=", "owner": "pennae", "repo": "nixpkgs", - "rev": "093d16ae7a4c6b5f215152972a223b9fbcd3343a", + "rev": "8e505de834edbac6d581589ebd18339c38d32731", "type": "github" }, "original": { "owner": "pennae", - "ref": "stdenv-jobserver", "repo": "nixpkgs", + "rev": "8e505de834edbac6d581589ebd18339c38d32731", "type": "github" } }, diff --git a/flake.nix b/flake.nix index c52f6dd..06af59b 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; - nixpkgs.url = "github:pennae/nixpkgs/stdenv-jobserver"; + nixpkgs.url = "github:pennae/nixpkgs/8e505de834edbac6d581589ebd18339c38d32731"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware"; diff --git a/modules/users/friends.nix b/modules/users/friends.nix index 62fcbe7..d7aa355 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -61,7 +61,8 @@ in home = "/home/pennae"; shell = "/run/current-system/sw/bin/zsh"; uid = 2006; - extraGroups = trustedFriendGroups; + # Raito: Allowed to debug jobserver. + extraGroups = [ "wheel" ] ++ trustedFriendGroups; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo=" From 332fa23d98ef439035634ca1622a189a66f68352 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:23:45 +0200 Subject: [PATCH 78/83] chore: cleanup luj entry Signed-off-by: Raito Bezarius --- modules/users/admins.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/users/admins.nix b/modules/users/admins.nix index e3ae6ea..eb2794c 100644 --- a/modules/users/admins.nix +++ b/modules/users/admins.nix @@ -22,7 +22,6 @@ in luj = { isNormalUser = true; home = "/home/luj"; - inherit (config.users.users.raito); extraGroups = extraGroups ++ [ "production-hydra-db" ]; shell = "/run/current-system/sw/bin/zsh"; uid = 1001; From c311ccf80a9ec1b151e9648a3b32235a371ff9ad Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:23:57 +0200 Subject: [PATCH 79/83] fix: enable a bunch of startups for sshd Signed-off-by: Raito Bezarius --- modules/nix-daemon.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index b30d12d..7d8825e 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -33,6 +33,9 @@ in # Makes the computer go faster. nixos.jobserver.enable = true; + # Avoid weird failures for builders. + services.openssh.settings.MaxStartups = 100; + # Memory accounting techniques systemd.services.nix-daemon.serviceConfig = { MemoryAccounting = true; From 877ad54ae242afdccdb44ea4614ae69ef9c2a86b Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:24:40 +0200 Subject: [PATCH 80/83] chore: bump to 24.05-small Signed-off-by: Raito Bezarius --- flake.lock | 86 +++++++++++++++++++++++++++--------------------------- flake.nix | 4 +-- 2 files changed, 45 insertions(+), 45 deletions(-) diff --git a/flake.lock b/flake.lock index 74d34c3..be91cc1 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1707830867, - "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "lastModified": 1716561646, + "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", "owner": "ryantm", "repo": "agenix", - "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", "type": "github" }, "original": { @@ -32,11 +32,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1707922053, - "narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=", + "lastModified": 1711742460, + "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=", "owner": "zhaofengli", "repo": "attic", - "rev": "6eabc3f02fae3683bffab483e614bebfcd476b21", + "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0", "type": "github" }, "original": { @@ -55,11 +55,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1706509311, - "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", "type": "github" }, "original": { @@ -118,11 +118,11 @@ ] }, "locked": { - "lastModified": 1709439398, - "narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=", + "lastModified": 1716431128, + "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", "owner": "nix-community", "repo": "disko", - "rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57", + "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", "type": "github" }, "original": { @@ -170,11 +170,11 @@ ] }, "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", "type": "github" }, "original": { @@ -257,27 +257,27 @@ ] }, "locked": { - "lastModified": 1706981411, - "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", + "lastModified": 1717527182, + "narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=", "owner": "rycee", "repo": "home-manager", - "rev": "652fda4ca6dafeb090943422c34ae9145787af37", + "rev": "845a5c4c073f74105022533907703441e0464bc3", "type": "github" }, "original": { "owner": "rycee", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "home-manager", "type": "github" } }, "nixos-hardware": { "locked": { - "lastModified": 1709410583, - "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", + "lastModified": 1716715385, + "narHash": "sha256-fe6Z33pbfqu4TI5ijmcaNc5vRBs633tyxJ12HTghy3w=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", + "rev": "2e7d6c568063c83355fe066b8a8917ee758de1b8", "type": "github" }, "original": { @@ -288,11 +288,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1702539185, - "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", + "lastModified": 1711401922, + "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447", + "rev": "07262b18b97000d16a4bdb003418bd2fb067a932", "type": "github" }, "original": { @@ -304,11 +304,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1702780907, - "narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=", + "lastModified": 1711460390, + "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f", + "rev": "44733514b72e732bd49f5511bd0203dea9b9a434", "type": "github" }, "original": { @@ -320,11 +320,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1709356872, - "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=", + "lastModified": 1716715802, + "narHash": "sha256-usk0vE7VlxPX8jOavrtpOqphdfqEQpf9lgedlY/r66c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "458b097d81f90275b3fdf03796f0563844926708", + "rev": "e2dd4e18cc1c7314e24154331bae07df76eb582f", "type": "github" }, "original": { @@ -336,27 +336,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1716330751, - "narHash": "sha256-JLvLi84gRMwgF9DumUwiOUA5UciXf9e2Aaa07sKx4Y0=", - "owner": "pennae", + "lastModified": 1717796960, + "narHash": "sha256-BKjQ9tQdsuoROrojHZb7KTAv95WprqCkNFvuzatfEo0=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "8e505de834edbac6d581589ebd18339c38d32731", + "rev": "8e0a5f16b7bf7f212be068dd302c49888c6ad68f", "type": "github" }, "original": { - "owner": "pennae", + "owner": "NixOS", + "ref": "nixos-24.05-small", "repo": "nixpkgs", - "rev": "8e505de834edbac6d581589ebd18339c38d32731", "type": "github" } }, "nur": { "locked": { - "lastModified": 1709439575, - "narHash": "sha256-49f8WbTUE4C8VrIxS2DrINOncakhFChcmZ6xccVSfkA=", + "lastModified": 1716741358, + "narHash": "sha256-4bxptwbmplGKq3W4tl6Zem/bOHsdLP4DSPcm/FfCaFE=", "owner": "nix-community", "repo": "NUR", - "rev": "075c3094d6c6c3fae0e107de41e2367d17341ac4", + "rev": "c65a3bde6793b437a705edfe5ff8435cbb8307a2", "type": "github" }, "original": { @@ -388,11 +388,11 @@ ] }, "locked": { - "lastModified": 1709301784, - "narHash": "sha256-Yf7HeS2VZCD8kD/wEgnToyt9YqQhCle/9TazmFYnjsE=", + "lastModified": 1716425501, + "narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=", "owner": "numtide", "repo": "srvos", - "rev": "9501896e0edf01d2cbd5fa6f0dbb3aafc00dae81", + "rev": "1122cd50a23647e09c3e7a679d37ec02113bc412", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 06af59b..779165c 100644 --- a/flake.nix +++ b/flake.nix @@ -10,13 +10,13 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; - nixpkgs.url = "github:pennae/nixpkgs/8e505de834edbac6d581589ebd18339c38d32731"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nur.url = "github:nix-community/NUR"; - home-manager.url = "github:rycee/home-manager/release-23.11"; + home-manager.url = "github:rycee/home-manager/release-24.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; From bd1a250b1f43657b907fa088284b37084cf38e21 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:27:43 +0200 Subject: [PATCH 81/83] chore: disable jobserver Signed-off-by: Raito Bezarius --- modules/nix-daemon.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/nix-daemon.nix b/modules/nix-daemon.nix index 7d8825e..59e7ac5 100644 --- a/modules/nix-daemon.nix +++ b/modules/nix-daemon.nix @@ -31,7 +31,8 @@ in ]; # Makes the computer go faster. - nixos.jobserver.enable = true; + # nixos.jobserver.enable = true; + # TODO(raito): rework this. # Avoid weird failures for builders. services.openssh.settings.MaxStartups = 100; From 5b76e5a670c09f6d1475036470d032ea4fe5b18e Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:23:39 +0200 Subject: [PATCH 82/83] fix: debug attempts for the weird reboot issue Signed-off-by: Raito Bezarius --- hosts/epyc.nix | 5 +++-- modules/hardware/supermicro-H12SSL-i.nix | 10 ++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/hosts/epyc.nix b/hosts/epyc.nix index f84a8f4..10a8d07 100644 --- a/hosts/epyc.nix +++ b/hosts/epyc.nix @@ -25,8 +25,9 @@ in rootless.enable = true; }; - # We want to use EEVDF and AMD-related niceties. - boot.kernelPackages = pkgs.linuxPackages_latest; + # TODO: there's a critical bug on 6.8+ where btrfs won't mount the rootfs at all. + # Do not upgrade until it is fixed. Ping Raito when needed. + # boot.kernelPackages = pkgs.linuxPackage_latest; # Open public access to our PostgreSQL. services.postgresql.enable = true; diff --git a/modules/hardware/supermicro-H12SSL-i.nix b/modules/hardware/supermicro-H12SSL-i.nix index 455f2f4..68ffc38 100644 --- a/modules/hardware/supermicro-H12SSL-i.nix +++ b/modules/hardware/supermicro-H12SSL-i.nix @@ -8,12 +8,18 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.kernelParams = [ "pci=realloc" ]; + boot.kernelParams = [ "pci=realloc" "boot.shell_on_fail" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.nvme-cli}/bin/nvme + copy_bin_and_libs ${pkgs.util-linux}/bin/blkzone + copy_bin_and_libs ${pkgs.util-linux}/bin/lsblk + ''; + boot.initrd.systemd.enable = lib.mkForce false; fileSystems."/" = @@ -34,7 +40,7 @@ swapDevices = [ { device = "/dev/disk/by-uuid/93e251e1-1bfc-4bd4-8585-ea2eae7795bf"; } - ]; + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; From 6b28da45573adc4dabeda161ef6cb866b8af8799 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 8 Jun 2024 12:27:55 +0200 Subject: [PATCH 83/83] feat: add delroth as root@ for capability building Signed-off-by: Raito Bezarius --- modules/users/friends.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/users/friends.nix b/modules/users/friends.nix index d7aa355..932660f 100644 --- a/modules/users/friends.nix +++ b/modules/users/friends.nix @@ -68,5 +68,17 @@ in "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo=" ]; }; + # Raito: Temporary account until next year, for delroth, who is going to work on building capabilities for improving build infrastructure. + delroth = { + isNormalUser = true; + home = "/home/delroth"; + shell = "/run/current-system/sw/bin/zsh"; + uid = 2007; + # Raito: Allowed to spawn new VMs and do various stuff for isolating the workloads. + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" + ]; + }; }; }