forked from the-distro/infra
feat: introduce tenant-specific extra build capacity
At Lix, we have few aarch64-linux and aarch64-darwin systems we use to boost our CI. This is a module to handle tenant-specific extra build capacity without it leaking over the rest of the deployment. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
6978c1271d
commit
002db9a78f
|
@ -31,7 +31,7 @@
|
||||||
automatic = true;
|
automatic = true;
|
||||||
persistent = true;
|
persistent = true;
|
||||||
dates = lib.mkDefault "daily";
|
dates = lib.mkDefault "daily";
|
||||||
options = "--delete-older-than 30d";
|
options = lib.mkDefault "--delete-older-than 30d";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.journald.extraConfig = "SystemMaxUse=512M";
|
services.journald.extraConfig = "SystemMaxUse=512M";
|
||||||
|
|
|
@ -14,5 +14,6 @@
|
||||||
./buildbot
|
./buildbot
|
||||||
./newsletter
|
./newsletter
|
||||||
./s3-revproxy
|
./s3-revproxy
|
||||||
|
./extra-builders
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
6
services/extra-builders/default.nix
Normal file
6
services/extra-builders/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
# Remote builders
|
||||||
|
./provider.nix
|
||||||
|
];
|
||||||
|
}
|
46
services/extra-builders/provider.nix
Normal file
46
services/extra-builders/provider.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
## Tenant-specific build capacity.
|
||||||
|
## This can come from anywhere and is not hold to the same level of responsibility that our build-infra has.
|
||||||
|
{ pkgs, config, lib, nodes, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mkIf types mkEnableOption mkOption;
|
||||||
|
freeGbDiskSpace = 10;
|
||||||
|
cfg = config.bagel.builders.extra-build-capacity.provider;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.builders.extra-build-capacity.provider = {
|
||||||
|
enable = mkEnableOption "providing of extra build capacity to other systems";
|
||||||
|
|
||||||
|
buildfarmPublicKeys = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "SSH public keys to allow to connect for remote builds";
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: register tenant in some deployment wide module
|
||||||
|
# so that the consumer side can just automatically generate buildMachines entries.
|
||||||
|
tenant = mkOption {
|
||||||
|
type = types.enum [ "lix" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
users.groups.builders = {};
|
||||||
|
users.users.nix = {
|
||||||
|
openssh.authorizedKeys.keys = cfg.buildfarmPublicKeys;
|
||||||
|
extraGroups = [ "builders" ];
|
||||||
|
isNormalUser = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
nix.settings.allowed-users = [ "@wheel" "@builders" ];
|
||||||
|
nix.settings.trusted-users = [ "@builders" ];
|
||||||
|
|
||||||
|
nix.gc.automatic = true;
|
||||||
|
nix.gc.dates = "hourly";
|
||||||
|
nix.gc.options = ''
|
||||||
|
--max-freed "$((${toString freeGbDiskSpace} * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"
|
||||||
|
'';
|
||||||
|
# Bump the open files limit so that non-root users can run NixOS VM tests, if supported at all.
|
||||||
|
security.pam.loginLimits = [
|
||||||
|
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue