feat(build01): Init

.forgejo/workflows/eval-nodes.yaml

@@ -21,6 +21,17 @@ jobs:
         STORE_USER: admin
       name: Build and cache bridge01
       run: nix-shell -A eval-nodes --run cache-node
+  build01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: build01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache build01
+      run: nix-shell -A eval-nodes --run cache-node
   compute01:
     runs-on: nix
     steps:

keys/default.nix

@@ -20,6 +20,7 @@ rec {
   _keys = {
     # SSH keys of the nodes
     bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ];
     compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
     geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
     geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];

machines/nixos/build01/_configuration.nix

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    "dgn-forgejo-runners"
+  ];
+
+  enabledServices = [
+    "nix-builder"
+  ];
+
+  extraConfig = {
+    dgn-forgejo-runners.nbRunners = 16;
+
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}

machines/nixos/build01/_hardware-configuration.nix

@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "nvme"
+        "megaraid_sas"
+        "ehci_pci"
+        "ahci"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
+      fsType = "xfs";
+    };
+
+    "/data" = {
+      device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
+      fsType = "xfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1372-46EA";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
+  ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/nixos/build01/nix-builder.nix

@@ -0,0 +1,78 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ pkgs, lib, ... }:
+let
+  org = import ../../../meta/organization.nix;
+  keys = (import ../../../keys/default.nix)._keys;
+in
+{
+  config = {
+    users.users = builtins.listToAttrs (
+      builtins.map (u: {
+        name = u;
+        value = {
+          isNormalUser = true;
+          home = "/home/${u}";
+          openssh.authorizedKeys.keys = keys.${u};
+        };
+      }) org.groups.nix-builder
+    );
+
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "20480";
+      }
+    ];
+
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "450G";
+      MemoryHigh = "440G";
+      MemorySwapMax = "2G";
+      ManagedOOMSwap = "kill";
+      ManagedOOMMemoryPressure = "kill";
+      MemoryPressureWatch = "on";
+    };
+
+    nix = {
+      gc = {
+        automatic = true;
+        dates = lib.mkForce "*:45";
+        options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
+
+        randomizedDelaySec = "1800";
+      };
+
+      nrBuildUsers = 128;
+
+      settings = {
+        keep-outputs = false;
+        keep-derivations = false;
+        use-cgroups = true;
+        http-connections = 0;
+        auto-allocate-uids = true;
+        cores = 0;
+        max-jobs = 8; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix.
+        fsync-metadata = true;
+        system-features = [
+          "benchmark"
+          "big-parallel"
+          "kvm"
+          "nixos-test"
+        ];
+        experimental-features = [
+          "auto-allocate-uids"
+          # "ca-derivations" this feature is really extremely broken.
+          "cgroups"
+          "fetch-closure"
+          "impure-derivations"
+        ];
+      };
+    };
+  };
+}

machines/nixos/build01/secrets/forgejo_runners-token_file

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
+asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
+-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
+9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
+-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
+cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
+-> ssh-rsa krWCLQ
+X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
+zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
+0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
+95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
+SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
+ejR3mZyP5SU2+Pr6navc0w
+-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
+hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
+-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
+C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
+-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
+pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
+-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
+ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
+-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
+2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
+-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
+yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
+-> Tqc#'yq%-grease b
+X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
+8TkORCQQUYZIlNqu2Psfbi0
+--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
+“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô%
Ñ.è
œELĘâÂÒw§¾snÑáã¬nšN
-×Ø̯pñûëËŠÓ

machines/nixos/build01/secrets/secrets.nix

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "build01" ] [
+  "forgejo_runners-token_file"
+]

machines/nixos/storage01/_configuration.nix

@@ -9,6 +9,7 @@ lib.extra.mkConfig {
     # List of modules to enable
     "dgn-backups"
     "dgn-web"
+    "dgn-forgejo-runners"
   ];
 
   enabledServices = [
@@ -27,6 +28,11 @@ lib.extra.mkConfig {
   extraConfig = {
     dgn-hardware.useZfs = true;
 
+    dgn-forgejo-runners = {
+      nbRunners = 6;
+      baseDataDir = "/data/slow";
+    };
+
     services.netbird.enable = true;
   };
 

machines/nixos/storage01/forgejo-runners.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{ config, pkgs, ... }:
+_:
 
 let
   url = "https://git.dgnum.eu";
@@ -30,24 +30,6 @@ let
     };
 in
 {
-  services.forgejo-nix-runners = {
-    enable = true;
-
-    inherit url;
-
-    storePath = "/data/slow";
-    tokenFile = config.age.secrets."forgejo_runners-token_file".path;
-
-    dependencies = [
-      pkgs.npins
-      pkgs.tea
-    ];
-
-    containerOptions = [ "--cpus=4" ];
-
-    nbRunners = 6;
-  };
-
   services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) {
     runner01 = {
       token = "qT9nZXKgLcb3fWOj7VTj3S58raiCWwF0weuIIKlY";
@@ -63,23 +45,4 @@ in
       labels = [ "debian-latest:docker://node:20-bookworm" ];
     };
   };
-
-  virtualisation = {
-    podman = {
-      enable = true;
-
-      defaultNetwork.settings = {
-        dns_enable = true;
-        ipv6_enabled = true;
-      };
-    };
-
-    containers.storage.settings = {
-      storage = {
-        driver = "overlay";
-        graphroot = "/data/slow/containers/storage";
-        runroot = "/run/containers/storage";
-      };
-    };
-  };
 }

meta/network.nix

@@ -13,6 +13,25 @@
     netbirdIp = null;
   };
 
+  build01 = {
+    interfaces = {
+      enp35s0f0np0 = {
+        ipv4 = [
+          {
+            address = "10.0.254.21";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "adb676ce";
+    netbirdIp = "100.80.21.38";
+  };
+
   compute01 = {
     interfaces = {
       eno1 = {

meta/nodes/nixos.nix

@@ -49,6 +49,28 @@
     };
   };
 
+  build01 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$n83qOn1OkQhFwQe50tPM11$jZ1tvgqMTcp4HLGEfJmTMsf0NnRUYQkzco9vibWTpU2";
+
+    stateVersion = "24.11";
+    nix-modules = [
+      "services/forgejo-nix-runners"
+    ];
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    admins = [ "ecoppens" ];
+
+    deployment = {
+      targetHost = "build01.dgnum";
+    };
+  };
+
   compute01 = {
     site = "pav01";
 

meta/organization.nix

@@ -95,6 +95,10 @@
       "catvayor"
       "ecoppens"
     ];
+
+    nix-builder = [
+      "ecoppens"
+    ];
   };
 
   external = {

modules/nixos/default.nix

@@ -21,6 +21,7 @@
       "dgn-console"
       "dgn-chatops"
       "dgn-firewall"
+      "dgn-forgejo-runners"
       "dgn-hardware"
       "dgn-netbox-agent"
       "dgn-network"

modules/nixos/dgn-forgejo-runners.nix

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  pkgs,
+  lib,
+  name,
+  ...
+}:
+
+let
+  url = "https://git.dgnum.eu";
+
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    mkIf
+    types
+    ;
+
+  cfg = config.dgn-forgejo-runners;
+in
+{
+  options.dgn-forgejo-runners = {
+    enable = mkEnableOption "forgejo runners";
+
+    nbRunners = mkOption {
+      type = types.int;
+    };
+
+    baseDataDir = mkOption {
+      type = types.str;
+      default = "/data";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.forgejo-nix-runners = {
+      enable = true;
+
+      inherit url;
+
+      storePath = cfg.baseDataDir;
+      tokenFile = config.age.secrets."forgejo_runners-token_file".path;
+      hostPlatform = name;
+
+      dependencies = [
+        pkgs.npins
+        pkgs.tea
+      ];
+
+      containerOptions = [ "--cpus=4" ];
+
+      inherit (cfg) nbRunners;
+    };
+
+    virtualisation = {
+      podman = {
+        enable = true;
+
+        defaultNetwork.settings = {
+          dns_enable = true;
+          ipv6_enabled = true;
+        };
+      };
+
+      containers.storage.settings = {
+        storage = {
+          driver = "overlay";
+          graphroot = "${cfg.baseDataDir}/containers/storage";
+          runroot = "/run/containers/storage";
+        };
+      };
+    };
+  };
+}