diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 452517e..b39bb0f 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -21,6 +21,17 @@ jobs: STORE_USER: admin name: Build and cache bridge01 run: nix-shell -A eval-nodes --run cache-node + build01: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: build01 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache build01 + run: nix-shell -A eval-nodes --run cache-node compute01: runs-on: nix steps: diff --git a/keys/default.nix b/keys/default.nix index 1a38900..5a1b797 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -20,6 +20,7 @@ rec { _keys = { # SSH keys of the nodes bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ]; + build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ]; compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ]; geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ]; geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ]; diff --git a/machines/nixos/build01/_configuration.nix b/machines/nixos/build01/_configuration.nix new file mode 100644 index 0000000..9d269da --- /dev/null +++ b/machines/nixos/build01/_configuration.nix @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2025 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ + "dgn-forgejo-runners" + ]; + + enabledServices = [ + "nix-builder" + ]; + + extraConfig = { + dgn-forgejo-runners.nbRunners = 16; + + services.netbird.enable = true; + }; + + root = ./.; +} diff --git a/machines/nixos/build01/_hardware-configuration.nix b/machines/nixos/build01/_hardware-configuration.nix new file mode 100644 index 0000000..8a7c867 --- /dev/null +++ b/machines/nixos/build01/_hardware-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "xhci_pci" + "nvme" + "megaraid_sas" + "ehci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; + kernelModules = [ "dm-snapshot" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3"; + fsType = "xfs"; + }; + + "/data" = { + device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123"; + fsType = "xfs"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/1372-46EA"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; } + ]; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/build01/nix-builder.nix b/machines/nixos/build01/nix-builder.nix new file mode 100644 index 0000000..071d241 --- /dev/null +++ b/machines/nixos/build01/nix-builder.nix @@ -0,0 +1,78 @@ +# SPDX-FileCopyrightText: 2025 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ pkgs, lib, ... }: +let + org = import ../../../meta/organization.nix; + keys = (import ../../../keys/default.nix)._keys; +in +{ + config = { + users.users = builtins.listToAttrs ( + builtins.map (u: { + name = u; + value = { + isNormalUser = true; + home = "/home/${u}"; + openssh.authorizedKeys.keys = keys.${u}; + }; + }) org.groups.nix-builder + ); + + security.pam.loginLimits = [ + { + domain = "*"; + item = "nofile"; + type = "-"; + value = "20480"; + } + ]; + + systemd.services.nix-daemon.serviceConfig = { + MemoryAccounting = true; + MemoryMax = "450G"; + MemoryHigh = "440G"; + MemorySwapMax = "2G"; + ManagedOOMSwap = "kill"; + ManagedOOMMemoryPressure = "kill"; + MemoryPressureWatch = "on"; + }; + + nix = { + gc = { + automatic = true; + dates = lib.mkForce "*:45"; + options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; + + randomizedDelaySec = "1800"; + }; + + nrBuildUsers = 128; + + settings = { + keep-outputs = false; + keep-derivations = false; + use-cgroups = true; + http-connections = 0; + auto-allocate-uids = true; + cores = 0; + max-jobs = 8; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix. + fsync-metadata = true; + system-features = [ + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + experimental-features = [ + "auto-allocate-uids" + # "ca-derivations" this feature is really extremely broken. + "cgroups" + "fetch-closure" + "impure-derivations" + ]; + }; + }; + }; +} diff --git a/machines/nixos/build01/secrets/forgejo_runners-token_file b/machines/nixos/build01/secrets/forgejo_runners-token_file new file mode 100644 index 0000000..5c475d3 --- /dev/null +++ b/machines/nixos/build01/secrets/forgejo_runners-token_file @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA +asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak +-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA +9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4 +-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo +cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ +-> ssh-rsa krWCLQ +X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe +zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC +0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5 +95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd +SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1 +ejR3mZyP5SU2+Pr6navc0w +-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE +hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y +-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M +C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA +-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE +pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE +-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0 +ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0 +-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc +2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk +-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA +yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE +-> Tqc#'yq%-grease b +X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA +8TkORCQQUYZIlNqu2Psfbi0 +--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4 +“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô% Ñ.èœELĘâÂÒw§¾snÑáã¬nšN -×Ø̯pñûëËŠÓ \ No newline at end of file diff --git a/machines/nixos/build01/secrets/secrets.nix b/machines/nixos/build01/secrets/secrets.nix new file mode 100644 index 0000000..5974c55 --- /dev/null +++ b/machines/nixos/build01/secrets/secrets.nix @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique +# +# SPDX-License-Identifier: EUPL-1.2 + +(import ../../../../keys).mkSecrets [ "build01" ] [ + "forgejo_runners-token_file" +] diff --git a/machines/nixos/storage01/_configuration.nix b/machines/nixos/storage01/_configuration.nix index 3c7cb32..5458120 100644 --- a/machines/nixos/storage01/_configuration.nix +++ b/machines/nixos/storage01/_configuration.nix @@ -9,6 +9,7 @@ lib.extra.mkConfig { # List of modules to enable "dgn-backups" "dgn-web" + "dgn-forgejo-runners" ]; enabledServices = [ @@ -27,6 +28,11 @@ lib.extra.mkConfig { extraConfig = { dgn-hardware.useZfs = true; + dgn-forgejo-runners = { + nbRunners = 6; + baseDataDir = "/data/slow"; + }; + services.netbird.enable = true; }; diff --git a/machines/nixos/storage01/forgejo-runners.nix b/machines/nixos/storage01/forgejo-runners.nix index fef5e6a..37b5a38 100644 --- a/machines/nixos/storage01/forgejo-runners.nix +++ b/machines/nixos/storage01/forgejo-runners.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ config, pkgs, ... }: +_: let url = "https://git.dgnum.eu"; @@ -30,24 +30,6 @@ let }; in { - services.forgejo-nix-runners = { - enable = true; - - inherit url; - - storePath = "/data/slow"; - tokenFile = config.age.secrets."forgejo_runners-token_file".path; - - dependencies = [ - pkgs.npins - pkgs.tea - ]; - - containerOptions = [ "--cpus=4" ]; - - nbRunners = 6; - }; - services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) { runner01 = { token = "qT9nZXKgLcb3fWOj7VTj3S58raiCWwF0weuIIKlY"; @@ -63,23 +45,4 @@ in labels = [ "debian-latest:docker://node:20-bookworm" ]; }; }; - - virtualisation = { - podman = { - enable = true; - - defaultNetwork.settings = { - dns_enable = true; - ipv6_enabled = true; - }; - }; - - containers.storage.settings = { - storage = { - driver = "overlay"; - graphroot = "/data/slow/containers/storage"; - runroot = "/run/containers/storage"; - }; - }; - }; } diff --git a/meta/network.nix b/meta/network.nix index 6980e44..d3eb943 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -13,6 +13,25 @@ netbirdIp = null; }; + build01 = { + interfaces = { + enp35s0f0np0 = { + ipv4 = [ + { + address = "10.0.254.21"; + prefixLength = 24; + } + ]; + + gateways = [ "10.0.254.1" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "adb676ce"; + netbirdIp = "100.80.21.38"; + }; + compute01 = { interfaces = { eno1 = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index dea4288..c1da5ee 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -49,6 +49,28 @@ }; }; + build01 = { + site = "pot01"; + + hashedPassword = "$y$j9T$n83qOn1OkQhFwQe50tPM11$jZ1tvgqMTcp4HLGEfJmTMsf0NnRUYQkzco9vibWTpU2"; + + stateVersion = "24.11"; + nix-modules = [ + "services/forgejo-nix-runners" + ]; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + admins = [ "ecoppens" ]; + + deployment = { + targetHost = "build01.dgnum"; + }; + }; + compute01 = { site = "pav01"; diff --git a/meta/organization.nix b/meta/organization.nix index af2247b..46c6813 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -95,6 +95,10 @@ "catvayor" "ecoppens" ]; + + nix-builder = [ + "ecoppens" + ]; }; external = { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index cc1e316..4f23d74 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -21,6 +21,7 @@ "dgn-console" "dgn-chatops" "dgn-firewall" + "dgn-forgejo-runners" "dgn-hardware" "dgn-netbox-agent" "dgn-network" diff --git a/modules/nixos/dgn-forgejo-runners.nix b/modules/nixos/dgn-forgejo-runners.nix new file mode 100644 index 0000000..e736930 --- /dev/null +++ b/modules/nixos/dgn-forgejo-runners.nix @@ -0,0 +1,80 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# SPDX-FileCopyrightText: 2025 Elias Coppens +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + config, + pkgs, + lib, + name, + ... +}: + +let + url = "https://git.dgnum.eu"; + + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; + + cfg = config.dgn-forgejo-runners; +in +{ + options.dgn-forgejo-runners = { + enable = mkEnableOption "forgejo runners"; + + nbRunners = mkOption { + type = types.int; + }; + + baseDataDir = mkOption { + type = types.str; + default = "/data"; + }; + }; + + config = mkIf cfg.enable { + + services.forgejo-nix-runners = { + enable = true; + + inherit url; + + storePath = cfg.baseDataDir; + tokenFile = config.age.secrets."forgejo_runners-token_file".path; + hostPlatform = name; + + dependencies = [ + pkgs.npins + pkgs.tea + ]; + + containerOptions = [ "--cpus=4" ]; + + inherit (cfg) nbRunners; + }; + + virtualisation = { + podman = { + enable = true; + + defaultNetwork.settings = { + dns_enable = true; + ipv6_enabled = true; + }; + }; + + containers.storage.settings = { + storage = { + driver = "overlay"; + graphroot = "${cfg.baseDataDir}/containers/storage"; + runroot = "/run/containers/storage"; + }; + }; + }; + }; +}