feat(build01): Init

2025-01-09 23:05:17 +01:00 · 2025-01-09 23:05:17 +01:00 · 8cfc0001b9
commit 8cfc0001b9
parent d474e39b92
18 changed files with 464 additions and 143 deletions
--- a/machines/nixos/build01/_configuration.nix
+++ b/machines/nixos/build01/_configuration.nix
@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    "dgn-forgejo-runners"
+  ];
+
+  enabledServices = [
+    "nix-builder"
+  ];
+
+  extraConfig = {
+    dgn-forgejo-runners = {
+      nbRunners = 16;
+      dataDirectory = "/data";
+    };
+
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/build01/_hardware-configuration.nix
+++ b/machines/nixos/build01/_hardware-configuration.nix
@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "nvme"
+        "megaraid_sas"
+        "ehci_pci"
+        "ahci"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
+      fsType = "xfs";
+    };
+
+    "/data" = {
+      device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
+      fsType = "xfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1372-46EA";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
+  ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/nixos/build01/nix-builder.nix
+++ b/machines/nixos/build01/nix-builder.nix
@ -0,0 +1,70 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  lib,
+  meta,
+  ...
+}:
+let
+  keys = (import ../../../keys)._keys;
+in
+{
+  config = {
+    users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = keys.${u};
+    });
+
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "20480";
+      }
+    ];
+
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "450G";
+      MemoryHigh = "440G";
+      MemorySwapMax = "2G";
+      ManagedOOMSwap = "kill";
+      ManagedOOMMemoryPressure = "kill";
+      MemoryPressureWatch = "on";
+    };
+
+    nix = {
+      gc = {
+        automatic = true;
+        dates = lib.mkForce "*:45";
+        options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
+
+        randomizedDelaySec = "1800";
+      };
+
+      nrBuildUsers = 128;
+
+      settings = {
+        keep-outputs = false;
+        keep-derivations = false;
+        use-cgroups = true;
+        http-connections = 0;
+        auto-allocate-uids = true;
+        cores = 0;
+        max-jobs = 8;
+        fsync-metadata = true;
+        experimental-features = [
+          "auto-allocate-uids"
+          # "ca-derivations" this feature is really extremely broken.
+          "cgroups"
+          "fetch-closure"
+          "impure-derivations"
+        ];
+      };
+    };
+  };
+}
--- a/machines/nixos/build01/secrets/forgejo_runners-token_file
+++ b/machines/nixos/build01/secrets/forgejo_runners-token_file
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
+asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
+-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
+9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
+-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
+cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
+-> ssh-rsa krWCLQ
+X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
+zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
+0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
+95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
+SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
+ejR3mZyP5SU2+Pr6navc0w
+-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
+hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
+-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
+C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
+-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
+pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
+-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
+ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
+-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
+2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
+-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
+yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
+-> Tqc#'yq%-grease b
+X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
+8TkORCQQUYZIlNqu2Psfbi0
+--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
+“˜?l÷6r] úfBžo<ŸŒ9Ç‰5M+Ší7íNõÏ¹äô%
Ñ.èœELÄ˜âÂÒw§¾snÑáã¬nšN
-×ØÌ¯pñûëËŠÓ
--- a/machines/nixos/build01/secrets/secrets.nix
+++ b/machines/nixos/build01/secrets/secrets.nix
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "build01" ] [
+  "forgejo_runners-token_file"
+]