From 002db9a78f3b32a04f8b5db1360820c40033d057 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 5 Oct 2024 18:06:23 +0200 Subject: [PATCH] feat: introduce tenant-specific extra build capacity At Lix, we have few aarch64-linux and aarch64-darwin systems we use to boost our CI. This is a module to handle tenant-specific extra build capacity without it leaking over the rest of the deployment. Signed-off-by: Raito Bezarius --- common/base-server.nix | 2 +- services/default.nix | 1 + services/extra-builders/default.nix | 6 ++++ services/extra-builders/provider.nix | 46 ++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 services/extra-builders/default.nix create mode 100644 services/extra-builders/provider.nix diff --git a/common/base-server.nix b/common/base-server.nix index ec95eda..31de7de 100644 --- a/common/base-server.nix +++ b/common/base-server.nix @@ -31,7 +31,7 @@ automatic = true; persistent = true; dates = lib.mkDefault "daily"; - options = "--delete-older-than 30d"; + options = lib.mkDefault "--delete-older-than 30d"; }; services.journald.extraConfig = "SystemMaxUse=512M"; diff --git a/services/default.nix b/services/default.nix index 8daacc3..6cbad0f 100644 --- a/services/default.nix +++ b/services/default.nix @@ -14,5 +14,6 @@ ./buildbot ./newsletter ./s3-revproxy + ./extra-builders ]; } diff --git a/services/extra-builders/default.nix b/services/extra-builders/default.nix new file mode 100644 index 0000000..84ee7ae --- /dev/null +++ b/services/extra-builders/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + # Remote builders + ./provider.nix + ]; +} diff --git a/services/extra-builders/provider.nix b/services/extra-builders/provider.nix new file mode 100644 index 0000000..c084fdd --- /dev/null +++ b/services/extra-builders/provider.nix @@ -0,0 +1,46 @@ +## Tenant-specific build capacity. +## This can come from anywhere and is not hold to the same level of responsibility that our build-infra has. +{ pkgs, config, lib, nodes, ... }: +let + inherit (lib) mkIf types mkEnableOption mkOption; + freeGbDiskSpace = 10; + cfg = config.bagel.builders.extra-build-capacity.provider; +in +{ + options.bagel.builders.extra-build-capacity.provider = { + enable = mkEnableOption "providing of extra build capacity to other systems"; + + buildfarmPublicKeys = mkOption { + type = types.listOf types.str; + description = "SSH public keys to allow to connect for remote builds"; + }; + + # TODO: register tenant in some deployment wide module + # so that the consumer side can just automatically generate buildMachines entries. + tenant = mkOption { + type = types.enum [ "lix" ]; + }; + }; + + config = mkIf cfg.enable { + users.groups.builders = {}; + users.users.nix = { + openssh.authorizedKeys.keys = cfg.buildfarmPublicKeys; + extraGroups = [ "builders" ]; + isNormalUser = true; + }; + + nix.settings.allowed-users = [ "@wheel" "@builders" ]; + nix.settings.trusted-users = [ "@builders" ]; + + nix.gc.automatic = true; + nix.gc.dates = "hourly"; + nix.gc.options = '' + --max-freed "$((${toString freeGbDiskSpace} * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))" + ''; + # Bump the open files limit so that non-root users can run NixOS VM tests, if supported at all. + security.pam.loginLimits = [ + { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + ]; + }; +}