Compare commits

...

38 commits

Author SHA1 Message Date
cd0621ba55 builders/netboot: add separate firmware_part output 2024-08-06 13:26:51 +02:00
dfd48f2179 builders: direct buildbot to /mnt store via ForceCommand 2024-08-06 13:26:35 +02:00
b1c28cfc7c bagel-cache.s3-web.delroth.net -> cache.forkos.org 2024-08-06 13:26:15 +02:00
a69750b495 update buildbot-nix 2024-08-06 13:26:01 +02:00
77ff556583 builders: fix provisioning of ssh hostkeys 2024-08-05 08:18:20 +02:00
fe3cb577c1 fix eval 2024-08-05 07:20:59 +02:00
20fc4c8f96 builders: move provisioning of ssh hostkeys to a systemd service
at first activation it does not yet have a working network setup
2024-08-05 07:17:45 +02:00
bce44930b1 builders: provision ssh hostkeys on boot 2024-08-04 18:12:02 +02:00
27d66d390e update iusb-spoof and start service on boot 2024-08-03 23:38:21 +02:00
79dea0686b add 'notipxe' netboot loader based on systemd-initrd + u-root 2024-08-03 20:28:57 +02:00
aeb8102ae4 builders: do not mount / and /boot on netboot systems 2024-08-03 20:01:39 +02:00
830dcbf6bc builders: do not mount / and /boot on netboot systems 2024-08-03 18:41:01 +02:00
f7907a2915 update hydra 2024-08-03 18:40:25 +02:00
93822775a9 baremetal-builders: do not create swapfile on rootfs when netbooting 2024-08-03 18:10:59 +02:00
dd028656ac builders: fix serial console 2024-08-02 13:21:04 +02:00
88317d099c attempt to fix netboot hydra jobs 2024-08-02 01:05:20 +02:00
1cbf286f18 build netboot files from hydra 2024-08-01 22:47:25 +02:00
6dc424dd43 wob01: serve an ipxe over iusb-spoof 2024-08-01 22:16:48 +02:00
504a443acc adjust hydra-gc numbers
we want to see how garbage collection would behave on a 480GB drive
2024-07-31 23:44:08 +02:00
96d58bbd41
forgejo: disable users explore page
This was requested and should make it a decent bit more difficult to get
a somewhat complete list of users on this instance.

We are, however, aware of other endpoints that can be used to get to a
similar result. Those just aren't as convenient nor obvious.

https://forgejo.org/docs/latest/admin/config-cheat-sheet/#service---explore-serviceexplore
2024-07-31 01:42:05 +02:00
5154906aac fix eval in assignments.nix 2024-07-30 17:23:54 +02:00
f3828368e6 hydra: set reasonable max-jobs and cores 2024-07-30 17:03:12 +02:00
314f1cb363 fix buildbot-nix reference
accidentally committed the lockfile which points to my local checkout
2024-07-30 14:02:26 +02:00
4e2d21930f baremetal-builders: detect percent_filled for the correct partition 2024-07-30 13:59:46 +02:00
dd81b78f7a add nixos-main jobset 2024-07-28 23:40:36 +02:00
537b3b978c remove yureka-staging-test jobset
I have no idea how, but it seems I accidentally deleted this jobset
2024-07-28 23:39:57 +02:00
99259356f2 make buildbot-signing-key accessible to buildbot-worker 2024-07-28 23:30:38 +02:00
924b4e7913 flake.lock: Update
Flake lock file updates:

• Updated input 'buildbot-nix':
    'git+file:///home/yuka/proj/buildbot-nix' (2024-07-22)
  → 'git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes&rev=8f5ad30cb7df5afbc4df1370a79bf3825c60f8b1' (2024-07-28)
2024-07-28 20:18:36 +02:00
5474832b07 baremetal builders: filesystem optimizations 2024-07-28 19:20:23 +02:00
f737c957a5 add staging next jobsets 2024-07-26 21:17:55 +02:00
15a684c5d7 baremetal-builders: more 'intelligent' gc 2024-07-26 12:17:27 +02:00
bd8aa2eb08 gerrit01: adjustments for master → main OWS
Due to rename, we need a `mkNixpkgsJob` slightly more complicated.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-25 23:35:06 +02:00
22a10e158f hosts/public01: init
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-25 20:46:20 +02:00
b8a4cd928d tf/dns: prepare public01 DNS records
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-25 20:40:17 +02:00
7f29885597 flake: support aarch64-linux
...I don't know how to remove the mention of x86_64-linux for colmena,
or if it actually matters, so I'm just leaving that there for now.
2024-07-24 09:37:15 +02:00
74e06ac6d0 hydra gc every 20h
metrics analysis has showed that this is unlikely to fill up the builders
2024-07-24 09:35:18 +02:00
3ff9d00f7f Add a wrapper to colmena that stops unintended toe-stepping
Taken from lix/web-services, commit hash 6d29ce968e64225faf03450c063d11a0a5c89cac

Co-authored-by: Jade Lovelace <lix@jade.fyi>
2024-07-24 07:25:25 +00:00
e5a3ce2283 buildbot fixes (#76)
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Signed-off-by: Yureka <yureka@forkos.org>
Co-authored-by: raito <raito@noreply.git.lix.systems>
Co-committed-by: raito <raito@noreply.git.lix.systems>
2024-07-24 06:44:25 +00:00
22 changed files with 652 additions and 93 deletions

View file

@ -14,7 +14,7 @@
# Use our cache and trust its signing key. Still use cache.nixos.org as # Use our cache and trust its signing key. Still use cache.nixos.org as
# fallback. # fallback.
nix.settings.substituters = [ "https://bagel-cache.s3-web.delroth.net/" ]; nix.settings.substituters = [ "https://cache.forkos.org/" ];
nix.settings.trusted-public-keys = [ nix.settings.trusted-public-keys = [
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg=" "cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
]; ];

View file

@ -64,16 +64,16 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1721409873, "lastModified": 1722939563,
"narHash": "sha256-h0njWQRvtkjK0NJ/Kgj76sXBhWwq5HGJm7OMcigmNw4=", "narHash": "sha256-lMe8aXgF550iQLRaoU+yn8yYQ4x2qiyqANgsFyjfWwA=",
"ref": "refs/heads/refactor", "ref": "refs/heads/non-flakes",
"rev": "54bba654d4279dfd112345b6470547851feb1457", "rev": "4a162a8aa5dad6cecdb33bd8534e67e0bdaeb13f",
"revCount": 267, "revCount": 295,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git" "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
}, },
"original": { "original": {
"ref": "refs/heads/refactor", "ref": "refs/heads/non-flakes",
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/buildbot-nix.git" "url": "https://git.lix.systems/lix-project/buildbot-nix.git"
} }
@ -258,17 +258,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1721682989, "lastModified": 1722688238,
"narHash": "sha256-kjJiZ7m4HKqbZ2mxNQiB32/goKFb8BRi8OqC4wIU0OI=", "narHash": "sha256-x6BnYtArF6IDs7bS8ExokgAQBOlrxXxD0EOBIlASmfM=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "4b107e6ff36bd89958fba36e0fe0340903e7cd13", "rev": "9b5ac87de73ea4646dbb2af979db91f096d29960",
"revCount": 4190, "revCount": 4191,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/the-distro/hydra.git"
}, },
"original": { "original": {
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/the-distro/hydra.git"
} }
}, },
"lix": { "lix": {

View file

@ -11,13 +11,13 @@
colmena.url = "github:zhaofengli/colmena"; colmena.url = "github:zhaofengli/colmena";
colmena.inputs.nixpkgs.follows = "nixpkgs"; colmena.inputs.nixpkgs.follows = "nixpkgs";
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git"; hydra.url = "git+https://git.lix.systems/the-distro/hydra.git";
hydra.inputs.nixpkgs.follows = "nixpkgs"; hydra.inputs.nixpkgs.follows = "nixpkgs";
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git"; nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs"; nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/refactor"; buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/non-flakes";
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
lix.follows = "hydra/lix"; lix.follows = "hydra/lix";
@ -25,7 +25,13 @@
outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs: outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
let let
system = "x86_64-linux"; supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
forEachSystem = f: builtins.listToAttrs (map (system: {
name = system;
value = f system;
}) supportedSystems);
systemBits = forEachSystem (system: rec {
inherit system;
pkgs = import nixpkgs { pkgs = import nixpkgs {
localSystem = system; localSystem = system;
overlays = [ overlays = [
@ -34,7 +40,6 @@
inputs.nix-gerrit.overlays.default inputs.nix-gerrit.overlays.default
]; ];
}; };
lib = pkgs.lib;
terraform = pkgs.opentofu; terraform = pkgs.opentofu;
terraformCfg = terranix.lib.terranixConfiguration { terraformCfg = terranix.lib.terranixConfiguration {
inherit system; inherit system;
@ -46,9 +51,12 @@
} }
]; ];
}; };
});
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
inherit (nixpkgs) lib;
in in
{ {
apps.${system} = { apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
tf = { tf = {
type = "app"; type = "app";
program = toString (pkgs.writers.writeBash "tf" '' program = toString (pkgs.writers.writeBash "tf" ''
@ -59,16 +67,19 @@
}; };
default = self.apps.${system}.tf; default = self.apps.${system}.tf;
}; });
devShells.${system}.default = pkgs.mkShell { devShells = forEachSystem' ({ system, pkgs, ... }: {
default = pkgs.mkShell {
packages = [ packages = [
inputs.agenix.packages.${system}.agenix inputs.agenix.packages.${system}.agenix
pkgs.colmena
pkgs.opentofu pkgs.opentofu
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
]; ];
}; };
});
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
@ -85,19 +96,12 @@
makeBuilder = i: lib.nameValuePair "builder-${toString i}" { makeBuilder = i: lib.nameValuePair "builder-${toString i}" {
imports = commonModules; imports = commonModules;
bagel.baremetal.builders = { enable = true; num = i; }; bagel.baremetal.builders = { enable = true; num = i; netboot = i >= 6; };
}; };
builders = lib.listToAttrs (lib.genList makeBuilder 12); builders = lib.listToAttrs (lib.genList makeBuilder 12);
in { in {
meta.nixpkgs = import nixpkgs { meta.nixpkgs = systemBits.x86_64-linux.pkgs;
localSystem = system;
overlays = [
inputs.hydra.overlays.default
inputs.lix.overlays.default
inputs.nix-gerrit.overlays.default
];
};
meta.specialArgs.inputs = inputs; meta.specialArgs.inputs = inputs;
bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ]; bagel-box.imports = commonModules ++ [ ./hosts/bagel-box ];
@ -107,9 +111,10 @@
git.imports = commonModules ++ [ ./hosts/git ]; git.imports = commonModules ++ [ ./hosts/git ];
wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ]; wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
buildbot.imports = commonModules ++ [ ./hosts/buildbot ]; buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
public01.imports = commonModules ++ [ ./hosts/public01 ];
} // builders; } // builders;
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.toplevel) self.nixosConfigurations; hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations; buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
}; };
} }

View file

@ -28,7 +28,7 @@
bagel.services.buildbot = { bagel.services.buildbot = {
enable = true; enable = true;
domain = "buildbot.forkos.org"; domain = "buildbot.forkos.org";
builders = [ "builder-3" ]; builders = [ "builder-11" ];
}; };
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";

View file

@ -47,11 +47,11 @@
}; };
bagel.nixpkgs.one-way-sync = bagel.nixpkgs.one-way-sync =
let let
mkNixpkgsJob = { timer, branchName }: { mkNixpkgsJob = { timer, branchName, localRefspec ? null }: {
name = "nixpkgs-${branchName}"; name = "nixpkgs-${branchName}";
fromUri = "https://github.com/NixOS/nixpkgs"; fromUri = "https://github.com/NixOS/nixpkgs";
fromRefspec = branchName; fromRefspec = branchName;
localRefspec = branchName; localRefspec = if localRefspec != null then localRefspec else branchName;
inherit timer; inherit timer;
}; };
in in
@ -63,7 +63,8 @@
branches."refs/heads/main" = mkNixpkgsJob { branches."refs/heads/main" = mkNixpkgsJob {
timer = "hourly"; timer = "hourly";
branchName = "main"; branchName = "master";
localRefspec = "main";
}; };
branches."refs/heads/staging" = mkNixpkgsJob { branches."refs/heads/staging" = mkNixpkgsJob {

32
hosts/public01/default.nix Executable file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}:
{
networking.hostName = "public01";
# TODO: make it the default
networking.domain = "infra.forkos.org";
time.timeZone = "Europe/Paris";
bagel.sysadmin.enable = true;
# Buildbot is proxied.
bagel.raito.v6-proxy-awareness.enable = true;
bagel.hardware.raito-vm = {
enable = true;
networking = {
nat-lan-mac = "BC:24:11:A4:F7:D3";
wan = {
address = "2001:bc8:38ee:100:1000::60/64";
mac = "BC:24:11:DB:B8:10";
};
};
};
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.05";
deployment.targetHost = "public01.infra.forkos.org";
}

View file

@ -1,6 +1,10 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
imports = [
./netboot.nix
];
###### Hardware ###### ###### Hardware ######
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "sd_mod" "sdhci_pci" ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];

View file

@ -0,0 +1,63 @@
{ config, lib, pkgs, nodes, modulesPath, ... }:
# The way the connection is established is specific to the wob01 site and the Intel S2600KPR blades.
# Proper netboot is not possible, because while the blades and the APU board (which is the netboot
# server here) are in the same L2 network, the uplink connection of each blade is an LACP LAG,
# meaning that the switch on the other side will only enable the port if it sees valid LACP packets.
# We work around this by presenting a virtual floppy drive using the "IUSB" protocol of the BMC.
# This virtual floppy drive contains an per-blade customized initramfs which will initialize the
# network connection including IP configuration and load the actual image off hydra.
let
netboot-server-ip = "2a01:584:11::2";
netbootNodes = lib.filterAttrs (_: node: node.config.bagel.baremetal.builders.enable && node.config.bagel.baremetal.builders.netboot) nodes;
in {
assertions = [
{
assertion = !(lib.elem 443 config.networking.firewall.allowedTCPPorts);
message = ''
Port 443 is in networking.firewalls.allowedTCPPorts, but should be only manually
allowed for specific IPs and source ports in ${builtins.toJSON __curPos}
'';
}
];
systemd.services = lib.mapAttrs' (nodename: node: let
bmcIp = "192.168.1.${toString (node.config.bagel.baremetal.builders.num * 4 + 2)}";
notipxe = node.config.system.build.notipxe.config.system.build.usbImage;
in lib.nameValuePair "iusb-spoof-${nodename}" {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
};
script = ''
AUTH_TOKEN=$(${pkgs.iusb-spoof}/bin/make-token ${bmcIp})
exec ${pkgs.iusb-spoof}/bin/iusb-spoof -r ${bmcIp} 5123 $AUTH_TOKEN ${notipxe}
'';
}) netbootNodes;
# Since the builders are stateless, they can not store their ssh hostkeys
networking.firewall.allowedTCPPorts = [ 80 ]; # for ACME
networking.firewall.extraInputRules = ''
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
'';
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
services.nginx = {
enable = true;
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {
enableACME = true;
forceSSL = true;
locations = lib.mapAttrs' (nodename: node: let
ip = "2a01:584:11::1:${toString node.config.bagel.baremetal.builders.num}";
in lib.nameValuePair "/${nodename}/" {
root = "/var/www";
extraConfig = ''
allow ${ip};
deny all;
'';
}) netbootNodes;
};
};
}

14
lib/colmena-wrapper.nix Normal file
View file

@ -0,0 +1,14 @@
# A wrapper for colmena that prevents accidentally deploying changes without
# having pulled.
{ colmena, runCommandNoCC }:
runCommandNoCC "colmena-wrapper"
{
env.colmena = "${colmena}/bin/colmena";
} ''
mkdir -p $out
ln -s ${colmena}/share $out/share
mkdir $out/bin
substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
chmod +x $out/bin/colmena
''

29
lib/colmena-wrapper.sh.in Executable file
View file

@ -0,0 +1,29 @@
#!/usr/bin/env bash
doChecks() {
# creates refs in the refs/prefetch/remotes/origin namespace
echo "Prefetching repo changes..." >&2
git fetch --quiet --prefetch --no-write-fetch-head origin
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
only_in_local=$(echo "$diffs" | cut -f1)
only_in_main=$(echo "$diffs" | cut -f2)
if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
echo >&2
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
echo "This will probably revert someone's changes. Consider merging them." >&2
echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
exit 1
fi
if [[ $only_in_local -gt 0 ]]; then
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
fi
}
if [[ $1 == 'apply' ]]; then
doChecks
fi
exec @colmena@ "$@"

View file

@ -1 +1,6 @@
[] [
(final: prev: {
iusb-spoof = final.callPackage ./iusb-spoof.nix {};
u-root = final.callPackage ./u-root {};
})
]

23
overlays/iusb-spoof.nix Normal file
View file

@ -0,0 +1,23 @@
{ rustPlatform, python3, makeWrapper }:
let
pythonEnv = python3.withPackages (p: with p; [ requests ]);
in
rustPlatform.buildRustPackage rec {
pname = "iusb-spoof";
version = "0.1.0";
src = builtins.fetchGit {
url = "https://git.lix.systems/the-distro/iusb-spoof/";
rev = "fafd47986239cc2f4dfbbae74b17555608806581";
};
cargoLock.lockFile = src + "/Cargo.lock";
nativeBuildInputs = [ makeWrapper ];
postInstall = ''
install -Dm644 $src/make-token.py $out/opt/make-token.py
makeWrapper ${pythonEnv.interpreter} $out/bin/make-token --add-flags "$out/opt/make-token.py"
'';
}

View file

@ -0,0 +1,20 @@
{ buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "u-root";
version = "0.14.0";
src = fetchFromGitHub {
owner = "u-root";
repo = "u-root";
rev = "v${version}";
hash = "sha256-8zA3pHf45MdUcq/MA/mf0KCTxB1viHieU/oigYwIPgo=";
};
patches = [
./u-root-allow-https.patch
];
vendorHash = null;
doCheck = false;
}

View file

@ -0,0 +1,12 @@
diff --git a/pkg/curl/schemes.go b/pkg/curl/schemes.go
index 8bac3bc0..cd396cbc 100644
--- a/pkg/curl/schemes.go
+++ b/pkg/curl/schemes.go
@@ -81,6 +81,7 @@ var (
DefaultSchemes = Schemes{
"tftp": DefaultTFTPClient,
"http": DefaultHTTPClient,
+ "https": DefaultHTTPClient,
"file": &LocalFileClient{},
}
)

View file

@ -0,0 +1,29 @@
# This file contains information on which builder(s) are providing how many
# job slots and providing which nix features
let
genBuilders = { offset ? 0, count, f }: builtins.genList (x: rec { name = "builder-${toString (offset + x)}"; value = f name; }) count;
in builtins.listToAttrs (
# The first 8 builders are general purpose hydra builders
genBuilders { count = 8; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" ];
required-features = [ ];
}; }
++
# The last 2 builders are exclusively for big-parallel
genBuilders { offset = 8; count = 2; f = name: {
cores = 20;
max-jobs = 1;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ "big-parallel" ];
}; }
++
# These are not currently used for hydra
genBuilders { offset = 10; count = 2; f = name: {
cores = 8;
max-jobs = 8;
supported-features = [ "kvm" "nixos-test" "big-parallel" ];
required-features = [ ];
}; }
)

View file

@ -3,10 +3,13 @@ let
cfg = config.bagel.baremetal.builders; cfg = config.bagel.baremetal.builders;
in in
{ {
imports = [ ./netboot.nix ];
options = { options = {
bagel.baremetal.builders = { bagel.baremetal.builders = {
enable = lib.mkEnableOption "baremetal bagel oven"; enable = lib.mkEnableOption "baremetal bagel oven";
netboot = lib.mkEnableOption "netboot";
num = lib.mkOption { num = lib.mkOption {
type = lib.types.int; type = lib.types.int;
}; };
@ -40,8 +43,20 @@ in
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
]; ];
}; };
nix.settings.trusted-users = [ "builder" "buildbot" ]; nix.settings = {
inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
};
services.openssh.extraConfig = ''
Match User buildbot
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
PermitTunnel no
X11Forwarding no
ForceCommand ${config.nix.package.out}/bin/nix-daemon --store /mnt --stdio
Match All
'';
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
@ -52,28 +67,36 @@ in
boot.initrd.services.lvm.enable = true; boot.initrd.services.lvm.enable = true;
fileSystems."/" = { boot.kernel.sysctl."fs.xfs.xfssyncd_centisecs" = "12000";
fileSystems = lib.mkMerge [
(lib.mkIf (!cfg.netboot) {
"/" = {
device = "/dev/disk/by-label/root"; device = "/dev/disk/by-label/root";
fsType = "xfs"; fsType = "xfs";
}; };
fileSystems."/mnt" = { "/boot" = {
device = "/dev/disk/by-label/hydra";
fsType = "xfs";
};
# We want the tmp filesystem on the same filesystem as the hydra store, so that builds can use reflinks
fileSystems."/tmp" = {
device = "/mnt/tmp";
options = [ "bind" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT"; device = "/dev/disk/by-label/BOOT";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
})
{
"/mnt" = {
device = "/dev/disk/by-label/hydra";
fsType = "xfs";
options = ["logbsize=256k"];
};
swapDevices = [ # We want the tmp filesystem on the same filesystem as the hydra store, so that builds can use reflinks
"/tmp" = {
device = "/mnt/tmp";
options = [ "bind" ];
};
}
];
swapDevices = lib.optionals (!cfg.netboot) [
{ {
device = "/swapfile"; device = "/swapfile";
size = 50 * 1024; # 50GiB size = 50 * 1024; # 50GiB
@ -86,8 +109,8 @@ in
}; };
boot.kernelParams = [ boot.kernelParams = [
"console=ttyS0,115200"
"console=tty1" "console=tty1"
"console=ttyS0,115200"
]; ];
networking.useNetworkd = true; networking.useNetworkd = true;
@ -146,11 +169,24 @@ in
}; };
systemd.services.hydra-gc = { systemd.services.hydra-gc = {
wantedBy = [ "multi-user.target" ];
description = "Nix Garbage Collector"; description = "Nix Garbage Collector";
script = "exec ${config.nix.package.out}/bin/nix-store --gc --store /mnt"; script = ''
while : ; do
percent_filled=$(($(stat -f --format="100-(100*%a/%b)" /mnt)))
if [ "$percent_filled" -gt "54" ]; then
${config.nix.package.out}/bin/nix-store --gc --max-freed 50G --store /mnt
else
break
fi
done
'';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.User = "builder"; serviceConfig.User = "builder";
startAt = "*-*-* 00/8:00:00"; };
systemd.timers.hydra-gc = {
timerConfig.OnUnitInactiveSec = "10min";
wantedBy = [ "timers.target" ];
}; };
systemd.timers.hydra-gc.timerConfig.Persistent = true; systemd.timers.hydra-gc.timerConfig.Persistent = true;

View file

@ -0,0 +1,169 @@
{ modulesPath, pkgs, lib, config, extendModules, ... }@node:
let
cfg = config.bagel.baremetal.builders;
in
{
config = lib.mkIf (cfg.enable && cfg.netboot) {
systemd.services.sshd.after = [ "provision-ssh-hostkey.service" ];
systemd.services.provision-ssh-hostkey = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /etc/ssh
umask 0077
until ${pkgs.iputils}/bin/ping -c 1 vpn-gw.wob01.infra.forkos.org; do sleep 1; done
${pkgs.curl}/bin/curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key
# Run the activation script again to trigger agenix decryption
/run/current-system/activate
'';
};
system.build = {
# Build a kernel and initramfs which will download the IPXE script from hydra using
# u-root pxeboot tool and kexec into the final netbooted system.
notipxe = import (modulesPath + "/..") {
system = "x86_64-linux";
configuration =
{ pkgs, config, ... }:
{
system.stateVersion = "24.11";
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "igb" "bonding" ];
boot.kernelParams = [ "console=ttyS0,115200" "panic=1" "boot.panic_on_fail" ];
#boot.initrd.systemd.emergencyAccess = true;
networking.hostName = "${node.config.networking.hostName}-boot";
nixpkgs.overlays = import ../../overlays;
boot.loader.grub.enable = false;
fileSystems."/".device = "bogus"; # this config will never be booted
boot.initrd.systemd.enable = true;
boot.initrd.systemd.network = {
enable = true;
networks = node.config.systemd.network.networks;
netdevs = node.config.systemd.network.netdevs;
};
boot.initrd.systemd.storePaths = [
"${pkgs.u-root}/bin/pxeboot"
"${pkgs.iputils}/bin/ping"
];
boot.initrd.systemd.services.kexec = {
serviceConfig.Restart = "on-failure";
serviceConfig.Type = "oneshot";
wantedBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
script = ''
ln -sf /dev/console /dev/tty
until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
'';
};
boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
boot.initrd.services.resolved.enable = false;
boot.initrd.systemd.contents."/etc/resolv.conf".text = ''
nameserver 2001:4860:4860::6464
'';
boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = ''
[Journal]
ForwardToConsole=yes
MaxLevelConsole=debug
'';
# Provide a bootable USB drive image
system.build.usbImage = pkgs.callPackage ({ stdenv, runCommand, dosfstools, e2fsprogs, mtools, libfaketime, util-linux, nukeReferences }:
runCommand "boot-img-${node.config.networking.hostName}" {
nativeBuildInputs = [ dosfstools e2fsprogs libfaketime mtools util-linux ];
outputs = [ "out" "firmware_part" ];
} ''
export img=$out
truncate -s 40M $img
sfdisk $img <<EOF
label: gpt
label-id: F222513B-DED1-49FA-B591-20CE86A2FE7F
type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, bootable
EOF
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((2081 * 512 + SECTORS * 512)) firmware_part.img
mkfs.vfat --invariant -i 2e24ec82 -n BOOT firmware_part.img
# Populate the files intended for /boot/firmware
mkdir -p firmware/EFI/BOOT firmware/loader/entries
cp ${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot*.efi firmware/EFI/BOOT/BOOT${lib.toUpper stdenv.hostPlatform.efiArch}.EFI
cat > firmware/loader/loader.conf << EOF
default foo
EOF
cat > firmware/loader/entries/default.conf << EOF
title Default
linux /EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
initrd /EFI/initrd
options init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
EOF
cp ${config.system.build.kernel}/${pkgs.stdenv.hostPlatform.linux-kernel.target} firmware/EFI/${pkgs.stdenv.hostPlatform.linux-kernel.target}
cp ${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile} firmware/EFI/initrd
find firmware -exec touch --date=2000-01-01 {} +
# Copy the populated /boot/firmware into the SD image
cd firmware
# Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find . -type d -mindepth 1 | sort); do
faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d"
done
for f in $(find . -type f | sort); do
mcopy -pvm -i ../firmware_part.img "$f" "::/$f"
done
cd ..
# Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
cp firmware_part.img $firmware_part
''
) {};
}
;
};
# This is the config which will actually be booted
netbootVariant = extendModules {
modules = [
(
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/netboot/netboot.nix") ];
}
)
];
};
# A derivation combining all the artifacts required for netbooting for the hydra job
netbootDir = let
kernelTarget = pkgs.stdenv.hostPlatform.linux-kernel.target;
build = config.system.build.netbootVariant.config.system.build;
in
pkgs.symlinkJoin {
name = "netboot";
paths = [
build.netbootRamdisk
build.kernel
build.netbootIpxeScript
];
postBuild = ''
mkdir -p $out/nix-support
echo "file ${kernelTarget} $out/${kernelTarget}" >> $out/nix-support/hydra-build-products
echo "file initrd $out/initrd" >> $out/nix-support/hydra-build-products
echo "file ipxe $out/netboot.ipxe" >> $out/nix-support/hydra-build-products
'';
preferLocalBuild = true;
};
};
};
}

View file

@ -31,8 +31,16 @@ in
age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age; age.secrets.buildbot-oauth-secret.file = ../../secrets/buildbot-oauth-secret.age;
age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age; age.secrets.buildbot-workers.file = ../../secrets/buildbot-workers.age;
age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age; age.secrets.buildbot-service-key.file = ../../secrets/buildbot-service-key.age;
age.secrets.buildbot-signing-key.file = ../../secrets/buildbot-signing-key.age; age.secrets.buildbot-signing-key = {
age.secrets.buildbot-remote-builder-key.file = ../../secrets/buildbot-remote-builder-key.age; file = ../../secrets/buildbot-signing-key.age;
owner = "buildbot-worker";
group = "buildbot-worker";
};
age.secrets.buildbot-remote-builder-key = {
file = ../../secrets/buildbot-remote-builder-key.age;
owner = "buildbot-worker";
group = "buildbot-worker";
};
services.nginx.virtualHosts.${cfg.domain} = { services.nginx.virtualHosts.${cfg.domain} = {
forceSSL = true; forceSSL = true;
@ -58,7 +66,7 @@ in
(_: lib.foldl' lib.add 0) (_: lib.foldl' lib.add 0)
(lib.concatMap (lib.concatMap
(m: map (s: { ${s} = m.maxJobs; }) m.systems) (m: map (s: { ${s} = m.maxJobs; }) m.systems)
config.nix.buildMachines)) config.services.buildbot-nix.coordinator.buildMachines))
); );
}; };
@ -67,6 +75,8 @@ in
inherit (cfg) domain; inherit (cfg) domain;
debugging.enable = true;
oauth2 = { oauth2 = {
name = "Lix"; name = "Lix";
clientId = "forkos-buildbot"; clientId = "forkos-buildbot";

View file

@ -55,6 +55,10 @@ in
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
}; };
"service.explore" = {
DISABLE_USERS_PAGE = true;
};
oauth2_client = { oauth2_client = {
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;

View file

@ -13,15 +13,36 @@ let
# XXX: to support Nix's dumb public host key syntax (base64'd), this outputs # XXX: to support Nix's dumb public host key syntax (base64'd), this outputs
# a string with shell-style command interpolations: $(...). # a string with shell-style command interpolations: $(...).
mkBaremetalBuilder = { parallelBuilds, publicHostKey, host, speedFactor ? 1, user ? "builder", supportedSystems ? [ "i686-linux" "x86_64-linux" ], supportedFeatures ? [ "big-parallel" "kvm" "nixos-test" ] }: mkBaremetalBuilder = {
"ssh://${user}@${host}?remote-store=/mnt ${lib.concatStringsSep "," supportedSystems} ${config.age.secrets.hydra-ssh-key-priv.path} ${toString parallelBuilds} ${toString speedFactor} ${lib.concatStringsSep "," supportedFeatures} - $(echo -n '${publicHostKey}' | base64 -w0)"; parallelBuilds,
publicHostKey,
host,
speedFactor ? 1,
user ? "builder",
supportedSystems ? [ "i686-linux" "x86_64-linux" ],
supportedFeatures ? [ "big-parallel" "kvm" "nixos-test" ],
requiredFeatures ? [ ]
}:
let
supportedFeatures_ = if (supportedFeatures != []) then lib.concatStringsSep "," supportedFeatures else "-";
requiredFeatures_ = if (requiredFeatures != []) then lib.concatStringsSep "," requiredFeatures else "-";
in
"ssh://${user}@${host}?remote-store=/mnt ${lib.concatStringsSep "," supportedSystems} ${config.age.secrets.hydra-ssh-key-priv.path} ${toString parallelBuilds} ${toString speedFactor} ${supportedFeatures_} ${requiredFeatures_} $(echo -n '${publicHostKey}' | base64 -w0)";
# TODO: # TODO:
# - generalize to new architectures # - generalize to new architectures
# - generalize to new features # - generalize to new features
baremetalBuilders = lib.concatStringsSep "\n" baremetalBuilders = lib.concatStringsSep "\n"
(map (n: mkBaremetalBuilder { (map (n: let
parallelBuilds = 8; # TODO: do not hardcode this, use the node's builder configuration. assignments = (import ../baremetal-builder/assignments.nix).${n} or {
inherit (nodes.${n}.config.nix.settings) max-jobs;
supported-features = [ "big-parallel" "kvm" "nixos-test" ];
required-features = [];
};
in mkBaremetalBuilder {
parallelBuilds = assignments.max-jobs;
supportedFeatures = assignments.supported-features;
requiredFeatures = assignments.required-features;
publicHostKey = ssh-keys.machines.${n}; publicHostKey = ssh-keys.machines.${n};
host = nodes.${n}.config.networking.fqdn; host = nodes.${n}.config.networking.fqdn;
}) cfg.builders); }) cfg.builders);

View file

@ -68,6 +68,7 @@ in
# git.p.forkos.org exposes forgejo ssh server. # git.p.forkos.org exposes forgejo ssh server.
(proxyRecords "git.p" 3600 "AAAA" ["2001:bc8:38ee:100:1000::40"]) (proxyRecords "git.p" 3600 "AAAA" ["2001:bc8:38ee:100:1000::40"])
(dualProxyRecords "buildbot.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::50"]) (dualProxyRecords "buildbot.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::50"])
(dualProxyRecords "public01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::60"])
(record "cl" 3600 "CNAME" ["gerrit01.infra.p"]) (record "cl" 3600 "CNAME" ["gerrit01.infra.p"])
(record "fodwatch" 3600 "CNAME" ["fodwatch.infra.p"]) (record "fodwatch" 3600 "CNAME" ["fodwatch.infra.p"])
@ -81,6 +82,7 @@ in
(record "mimir" 3600 "CNAME" ["meta01.infra.p"]) (record "mimir" 3600 "CNAME" ["meta01.infra.p"])
(record "matrix" 3600 "CNAME" ["meta01.infra.p"]) (record "matrix" 3600 "CNAME" ["meta01.infra.p"])
(record "buildbot" 3600 "CNAME" ["buildbot.infra.p"]) (record "buildbot" 3600 "CNAME" ["buildbot.infra.p"])
(record "b" 3600 "CNAME" ["public01.infra.p"])
# S3 in delroth's basement # S3 in delroth's basement
(record "cache" 3600 "CNAME" ["smol.delroth.net."]) (record "cache" 3600 "CNAME" ["smol.delroth.net."])

View file

@ -205,13 +205,53 @@ in
email_notifications = false; email_notifications = false;
}; };
resource.hydra_jobset.yureka-staging-test = { resource.hydra_jobset.nixos-staging-next-small = {
project = config.resource.hydra_project.forkos.name; project = config.resource.hydra_project.forkos.name;
state = "enabled"; state = "enabled";
visible = true; visible = true;
name = "yureka-staging-test"; name = "nixos-staging-next-small";
type = "legacy"; type = "legacy";
description = "staging branch for yureka-nixos"; description = "nixos jobset for the staging-next branch";
nix_expression = {
file = "nixos/release-small.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs staging-next";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.nixpkgs-staging-next = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixpkgs-staging-next";
type = "legacy";
description = "nixpkgs jobset for the staging-next branch";
nix_expression = { nix_expression = {
file = "pkgs/top-level/release.nix"; file = "pkgs/top-level/release.nix";
@ -228,7 +268,47 @@ in
{ {
name = "nixpkgs"; name = "nixpkgs";
type = "git"; type = "git";
value = "https://cl.forkos.org/nixpkgs sandbox/yureka/staging-test"; value = "https://cl.forkos.org/nixpkgs staging-next";
notify_committers = false;
}
{
name = "officialRelease";
type = "boolean";
value = "false";
notify_committers = false;
}
{
name = "supportedSystems";
type = "nix";
value = ''[ "x86_64-linux" ]'';
}
];
};
resource.hydra_jobset.nixos-main = {
project = config.resource.hydra_project.forkos.name;
state = "enabled";
visible = true;
name = "nixos-main";
type = "legacy";
description = "nixos jobset for the main branch";
nix_expression = {
file = "nixos/release-combined.nix";
input = "nixpkgs";
};
check_interval = 0;
scheduling_shares = 3000;
keep_evaluations = 3;
email_notifications = false;
input = [
{
name = "nixpkgs";
type = "git";
value = "https://cl.forkos.org/nixpkgs main";
notify_committers = false; notify_committers = false;
} }
{ {