forked from the-distro/infra
Janik Haag
464a726664
Without this patch running `colmena build` will run into a few assertion errors for machines that have `config.bagel.baremetal.builders.netboot == true` set. This is due to an assertion check in the initrd module making sure there is a mount point for `/`. This can be trivially fixed by just setting the mount point to the real world value, which is a tmpfs with 64GB assigned. We also set `deployment.targetHost` to a domain that will never resolve in the public internet, to make sure nobody applies these machines by hand. It would have been nice to throw a error whenever `colmena apply` gets executed for one of these hosts, but doing so would defeat the purpose of this patch, because the colmena `build` and `apply` argument both evaluate the exact same code paths and thus colmena `build` would error again. The motivation behind this was, so we could run `colmena build` in CI in the future, and to not scare of new contributors with random build failures when they first try to build the machines. The proper solution would be to exclude all the network booted builders from the regular colmena hive that is exposed to the cli, but this is too many yaks to shave for now.
190 lines
5.1 KiB
Nix
190 lines
5.1 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
let
|
|
cfg = config.bagel.baremetal.builders;
|
|
in
|
|
{
|
|
imports = [ ./netboot.nix ];
|
|
|
|
options = {
|
|
|
|
bagel.baremetal.builders = {
|
|
enable = lib.mkEnableOption "baremetal bagel oven";
|
|
netboot = lib.mkEnableOption "netboot";
|
|
num = lib.mkOption {
|
|
type = lib.types.int;
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
|
|
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
|
|
|
users.users.builder = {
|
|
isSystemUser = true;
|
|
group = "nogroup";
|
|
home = "/var/empty";
|
|
shell = "/bin/sh";
|
|
openssh.authorizedKeys.keys = [
|
|
# Do not hardcode Hydra's public key, selectively
|
|
# add the keys of the coordinators that require us.
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
|
|
];
|
|
};
|
|
|
|
users.users.buildbot = {
|
|
isSystemUser = true;
|
|
group = "nogroup";
|
|
home = "/var/empty";
|
|
shell = "/bin/sh";
|
|
openssh.authorizedKeys.keys = [
|
|
# Do not hardcode Buildbot's public key, selectively
|
|
# add the keys of the coordinators that require us.
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMnOLLX0vGTZbSJrUmF9ZFXt/NIId/MUrEpXmL2vxod"
|
|
];
|
|
};
|
|
nix.settings = {
|
|
trusted-users = [ "builder" "buildbot" ];
|
|
inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
|
|
};
|
|
|
|
nixpkgs.hostPlatform = "x86_64-linux";
|
|
hardware.cpu.intel.updateMicrocode = true;
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
boot.initrd.systemd.enable = true;
|
|
|
|
boot.initrd.services.lvm.enable = true;
|
|
|
|
boot.kernel.sysctl."fs.xfs.xfssyncd_centisecs" = "12000";
|
|
fileSystems = lib.mkMerge [
|
|
(lib.mkIf (!cfg.netboot) {
|
|
"/" = {
|
|
device = "/dev/disk/by-label/root";
|
|
fsType = "xfs";
|
|
};
|
|
|
|
"/boot" = {
|
|
device = "/dev/disk/by-label/BOOT";
|
|
fsType = "vfat";
|
|
options = [ "fmask=0022" "dmask=0022" ];
|
|
};
|
|
})
|
|
{
|
|
"/mnt" = {
|
|
device = "/dev/disk/by-label/hydra";
|
|
fsType = "xfs";
|
|
options = ["logbsize=256k"];
|
|
};
|
|
|
|
# We want the tmp filesystem on the same filesystem as the hydra store, so that builds can use reflinks
|
|
"/tmp" = {
|
|
device = "/mnt/tmp";
|
|
options = [ "bind" ];
|
|
};
|
|
}
|
|
];
|
|
|
|
swapDevices = lib.optionals (!cfg.netboot) [
|
|
{
|
|
device = "/swapfile";
|
|
size = 50 * 1024; # 50GiB
|
|
}
|
|
];
|
|
|
|
zramSwap = {
|
|
enable = true;
|
|
memoryPercent = 25;
|
|
};
|
|
|
|
boot.kernelParams = [
|
|
"console=tty1"
|
|
"console=ttyS0,115200"
|
|
];
|
|
|
|
networking.useNetworkd = true;
|
|
networking.hostName = "builder-${toString cfg.num}";
|
|
networking.domain = "wob01.infra.forkos.org";
|
|
|
|
systemd.network = {
|
|
netdevs = {
|
|
"40-uplink" = {
|
|
netdevConfig = {
|
|
Kind = "bond";
|
|
Name = "uplink";
|
|
};
|
|
bondConfig = {
|
|
Mode = "802.3ad";
|
|
TransmitHashPolicy = "layer3+4";
|
|
};
|
|
};
|
|
};
|
|
networks = {
|
|
"40-eno1" = {
|
|
name = "eno1";
|
|
bond = [ "uplink" ];
|
|
};
|
|
"40-eno2" = {
|
|
name = "eno2";
|
|
bond = [ "uplink" ];
|
|
};
|
|
};
|
|
};
|
|
networking.interfaces.uplink.ipv6.addresses = [
|
|
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
|
|
];
|
|
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
|
|
deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}";
|
|
deployment.tags = [ "builders" ];
|
|
|
|
# Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
. {
|
|
bind lo
|
|
forward . 2001:4860:4860::6464
|
|
template ANY A { rcode NOERROR }
|
|
}
|
|
'';
|
|
};
|
|
services.resolved.enable = false;
|
|
networking.resolvconf.useLocalResolver = true;
|
|
|
|
# Hydra blasts ssh connections and does not multiplex. Loosen some of the
|
|
# rate limiting.
|
|
services.openssh.settings = {
|
|
MaxStartups = "500:30:1000";
|
|
};
|
|
|
|
systemd.services.hydra-gc = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
description = "Nix Garbage Collector";
|
|
script = ''
|
|
while : ; do
|
|
percent_filled=$(($(stat -f --format="100-(100*%a/%b)" /mnt)))
|
|
if [ "$percent_filled" -gt "85" ]; then
|
|
${config.nix.package.out}/bin/nix-store --gc --max-freed 80G --store /mnt
|
|
else
|
|
break
|
|
fi
|
|
done
|
|
'';
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.User = "builder";
|
|
};
|
|
systemd.timers.hydra-gc = {
|
|
timerConfig.OnUnitInactiveSec = "10min";
|
|
wantedBy = [ "timers.target" ];
|
|
};
|
|
systemd.timers.hydra-gc.timerConfig.Persistent = true;
|
|
|
|
bagel.sysadmin.enable = true;
|
|
|
|
environment.systemPackages = [ pkgs.ipmitool ];
|
|
|
|
system.stateVersion = "24.05";
|
|
};
|
|
}
|