raito/shared-public-infra
0
1
Fork 3
Code Issues Pull requests 1 Packages Projects Releases Wiki Activity

Compare commits

base: raito:main
Branches Tags
raito:main
raito:jade/lix-update-cleanup
raito:disable-autoUpgrade
raito:so-it-has-begun
raito:pennae
raito:vieuxtype
..
compare: raito:pennae
Branches Tags
raito:main
raito:jade/lix-update-cleanup
raito:disable-autoUpgrade
raito:so-it-has-begun
raito:pennae
raito:vieuxtype

No commits in common. "main" and "pennae" have entirely different histories.
main ... pennae

19 changed files with 321 additions and 512 deletions
Show stats Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,3 +1 @@
.direnv
result
.gcroots

22
configurations.nix
View file

@ -3,13 +3,14 @@ let
inherit
(self.inputs)
nixpkgs
lix-module
home-manager
agenix
nur
colmena
flake-registry
nixos-hypervisor
nixos-hardware
nixpkgs-unstable
srvos
disko
;
@ -29,10 +30,12 @@ let
./modules/users/admins.nix
./modules/packages.nix
./modules/nix-daemon.nix
./modules/auto-upgrade.nix
./modules/tor-ssh.nix
./modules/hosts.nix
./modules/network.nix
./modules/zsh.nix
./modules/ssh-cursed.nix
# FIXME: ./modules/buildbot — whenever you are ready.
@ -42,12 +45,11 @@ let
srvos.nixosModules.mixins-trusted-nix-caches
srvos.nixosModules.mixins-terminfo
nixos-hypervisor.nixosModules.host
# srvos.nixosModules.mixins-telegraf
# srvos.nixosModules.mixins-terminfo
# use lix
lix-module.nixosModules.default
agenix.nixosModules.default
({ pkgs
, config
@ -60,7 +62,7 @@ let
{
nix.nixPath = [
"home-manager=${home-manager}"
"nixpkgs=flake:nixpkgs"
"nixpkgs=${pkgs.path}"
"nur=${nur}"
];
# TODO: share nixpkgs for each machine to speed up local evaluation.
@ -72,7 +74,10 @@ let
#};
# sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile;
nix.settings.builders-use-substitutes = true;
nix.extraOptions = ''
flake-registry = ${flake-registry}/flake-registry.json
builders-use-substitutes = true
'';
nix.registry = {
home-manager.flake = home-manager;
@ -103,11 +108,8 @@ in
flake.colmena = {
meta.nixpkgs = import nixpkgs {
system = "x86_64-linux";
# yikes, this overlay has to be listed twice since colmena makes us
# import nixpkgs explicitly here
overlays = [
# bonking cppnix out of the closure as much as possible
lix-module.overlays.default
nixos-hypervisor.overlays.default
];
};
epyc = {

331
flake.lock
View file

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1718371084,
"narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"lastModified": 1707830867,
"narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
"owner": "ryantm",
"repo": "agenix",
"rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
"type": "github"
},
"original": {
@ -32,11 +32,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1717279440,
"narHash": "sha256-kH04ReTjxOpQumgWnqy40vvQLSnLGxWP6RF3nq5Esrk=",
"lastModified": 1707922053,
"narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "717cc95983cdc357bc347d70be20ced21f935843",
"rev": "6eabc3f02fae3683bffab483e614bebfcd476b21",
"type": "github"
},
"original": {
@ -55,11 +55,11 @@
"stable": "stable"
},
"locked": {
"lastModified": 1711386353,
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"lastModified": 1706509311,
"narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd",
"type": "github"
},
"original": {
@ -76,11 +76,11 @@
]
},
"locked": {
"lastModified": 1717025063,
"narHash": "sha256-dIubLa56W9sNNz0e8jGxrX3CAkPXsq7snuFA/Ie6dn8=",
"lastModified": 1702918879,
"narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"owner": "ipetkov",
"repo": "crane",
"rev": "480dff0be03dac0e51a8dfc26e882b0d123a450e",
"rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"type": "github"
},
"original": {
@ -118,11 +118,11 @@
]
},
"locked": {
"lastModified": 1718846788,
"narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
"lastModified": 1709439398,
"narHash": "sha256-MW0zp3ta7SvdpjvhVCbtP20ewRwQZX2vRFn14gTc4Kg=",
"owner": "nix-community",
"repo": "disko",
"rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
"rev": "1f76b318aa11170c8ca8c225a9b4c458a5fcbb57",
"type": "github"
},
"original": {
@ -163,22 +163,6 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -186,11 +170,11 @@
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"lastModified": 1709336216,
"narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
"type": "github"
},
"original": {
@ -199,6 +183,43 @@
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixos-hypervisor",
"nixpkgs"
]
},
"locked": {
"lastModified": 1687762428,
"narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-registry": {
"flake": false,
"locked": {
"lastModified": 1705308826,
"narHash": "sha256-Z3xTYZ9EcRIqZAufZbci912MUKB0sD+qxi/KTGMFVwY=",
"owner": "NixOS",
"repo": "flake-registry",
"rev": "9c69f7bd2363e71fe5cd7f608113290c7614dcdd",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-registry",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
@ -229,39 +250,6 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -290,92 +278,27 @@
]
},
"locked": {
"lastModified": 1718530513,
"narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"lastModified": 1706981411,
"narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=",
"owner": "rycee",
"repo": "home-manager",
"rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"rev": "652fda4ca6dafeb090943422c34ae9145787af37",
"type": "github"
},
"original": {
"owner": "rycee",
"ref": "release-24.05",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"lix": {
"inputs": {
"flake-compat": "flake-compat_3",
"nix2container": "nix2container",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1729296222,
"narHash": "sha256-fwJyGrkTemR1SwkAPXfxlY0RYCxy34NedmR35amytCc=",
"ref": "refs/heads/main",
"rev": "60578b4d7d0dfc296c61cae963b6b2763422788e",
"revCount": 16362,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
},
"original": {
"ref": "refs/heads/main",
"rev": "60578b4d7d0dfc296c61cae963b6b2763422788e",
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_3",
"flakey-profile": "flakey-profile",
"lix": [
"lix"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727752861,
"narHash": "sha256-jowmo2aEzrEpPSM96IWtajuogdJm7DjAWxFTEb7Ct0s=",
"rev": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d.tar.gz?rev=fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"
}
},
"nix2container": {
"flake": false,
"locked": {
"lastModified": 1724996935,
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
"type": "github"
},
"original": {
"owner": "nlewo",
"repo": "nix2container",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1719069430,
"narHash": "sha256-d9KzCJv3UG6nX9Aur5OSEf4Uj+ywuxojhiCiRKYVzXA=",
"lastModified": 1709410583,
"narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e8232c132a95ddc62df9d404120ad4ff53862910",
"rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
"type": "github"
},
"original": {
@ -384,13 +307,36 @@
"type": "github"
}
},
"nixos-hypervisor": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1688428885,
"narHash": "sha256-fVIbXKvHmxSUAKTMiXx799UasQwU2XT+op7bzvtfl8c=",
"ref": "main",
"rev": "9f32a304708fd9c91c081db05eee1b4f2e0226cc",
"revCount": 2,
"type": "git",
"url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor"
},
"original": {
"ref": "main",
"type": "git",
"url": "ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1711401922,
"narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=",
"lastModified": 1702539185,
"narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "07262b18b97000d16a4bdb003418bd2fb067a932",
"rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
"type": "github"
},
"original": {
@ -400,29 +346,13 @@
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1711460390,
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"lastModified": 1702780907,
"narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f",
"type": "github"
},
"original": {
@ -432,13 +362,13 @@
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs-unstable": {
"locked": {
"lastModified": 1724932487,
"narHash": "sha256-zzbqHmY1mt21omyk1+14QbAkII1B7OHlwKLcczVq22w=",
"lastModified": 1709356872,
"narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b4f7fb71438d00539b21f1b1e6968c0eac060127",
"rev": "458b097d81f90275b3fdf03796f0563844926708",
"type": "github"
},
"original": {
@ -448,34 +378,34 @@
"type": "github"
}
},
"nur": {
"nixpkgs_2": {
"locked": {
"lastModified": 1719099906,
"narHash": "sha256-xo1cNkVBW7NxTU5zMu0B7ZkismtkHfTRWfhBXbNnp9g=",
"owner": "nix-community",
"repo": "NUR",
"rev": "315cf1f8c5f5e92150d81ccafba7525c54327094",
"lastModified": 1709428628,
"narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NUR",
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"flake": false,
"nur": {
"locked": {
"lastModified": 1726745158,
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
"lastModified": 1709439575,
"narHash": "sha256-49f8WbTUE4C8VrIxS2DrINOncakhFChcmZ6xccVSfkA=",
"owner": "nix-community",
"repo": "NUR",
"rev": "075c3094d6c6c3fae0e107de41e2367d17341ac4",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
@ -486,11 +416,12 @@
"colmena": "colmena",
"disko": "disko",
"flake-parts": "flake-parts",
"flake-registry": "flake-registry",
"home-manager": "home-manager_2",
"lix": "lix",
"lix-module": "lix-module",
"nixos-hardware": "nixos-hardware",
"nixos-hypervisor": "nixos-hypervisor",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",
"srvos": "srvos"
}
@ -502,15 +433,15 @@
]
},
"locked": {
"lastModified": 1724920817,
"narHash": "sha256-qWXS+4M9kHXxG1HgZuv+3gm3KQc1aPdBZUPnLLev8w0=",
"owner": "nix-community",
"lastModified": 1709301784,
"narHash": "sha256-Yf7HeS2VZCD8kD/wEgnToyt9YqQhCle/9TazmFYnjsE=",
"owner": "numtide",
"repo": "srvos",
"rev": "977841b31ddbd3c919f56767a6f85d0615440759",
"rev": "9501896e0edf01d2cbd5fa6f0dbb3aafc00dae81",
"type": "github"
},
"original": {
"owner": "nix-community",
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
@ -546,18 +477,24 @@
"type": "github"
}
},
"systems_2": {
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixos-hypervisor",
"nixpkgs"
]
},
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}

63
flake.nix
View file

@ -4,25 +4,19 @@
# To update all inputs:
# $ nix flake update --recreate-lock-file
inputs = {
lix.url = "git+https://git.lix.systems/lix-project/lix.git?ref=refs/heads/main&rev=60578b4d7d0dfc296c61cae963b6b2763422788e";
lix.inputs.nixpkgs.follows = "nixpkgs";
lix-module.url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
lix-module.inputs.nixpkgs.follows = "nixpkgs";
lix-module.inputs.lix.follows = "lix";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/release-23.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
nur.url = "github:nix-community/NUR";
home-manager.url = "github:rycee/home-manager/release-24.05";
home-manager.url = "github:rycee/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
@ -33,48 +27,34 @@
attic.url = "github:zhaofengli/attic";
srvos.url = "github:nix-community/srvos";
srvos.url = "github:numtide/srvos";
# actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
srvos.inputs.nixpkgs.follows = "nixpkgs";
# Ryan's experimental hypervisor based on cloud-hypervisor
# Private repository, you need a valid SSH key to access it
# nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main";
# nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs";
nixos-hypervisor.url = "git+ssh://gitea@git.newtype.fr/newtype/nixos-hypervisor?ref=main";
nixos-hypervisor.inputs.nixpkgs.follows = "nixpkgs";
flake-registry.url = "github:NixOS/flake-registry";
flake-registry.flake = false;
};
outputs =
{
flake-parts,
...
}@inputs:
(flake-parts.lib.evalFlakeModule { inherit inputs; } (
{ self, inputs, ... }:
{
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
{ flake-parts
, ...
} @ inputs:
(flake-parts.lib.evalFlakeModule
{ inherit inputs; }
({ self, inputs, ... }: {
systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ];
imports = [
./configurations.nix
# ./modules/monitoring/flake-module.nix
# ./pkgs/flake-module.nix
# ./templates
];
# provide debug, allSystems, currentSystem in the resulting flake
debug = true;
perSystem =
{ self', pkgs, system, ... }:
{
# apply the lix overlay to banish CppNix
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ inputs.lix-module.overlays.default ];
};
perSystem = { self', pkgs, ... }: {
devShells.default = pkgs.mkShellNoCC {
buildInputs = [
pkgs.ipmitool
@ -119,15 +99,10 @@
};
};
flake = {
hydraJobs =
inputs.nixpkgs.lib.mapAttrs' (
name: config: inputs.nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
) self.nixosConfigurations
// {
hydraJobs = inputs.nixpkgs.lib.mapAttrs' (name: config: inputs.nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.nixosConfigurations // {
devShells = self.devShells.x86_64-linux.default;
};
};
}
)).config.flake;
})).config.flake;
}

44
hosts/epyc.nix
View file

@ -1,4 +1,4 @@
{ inputs, lib, pkgs, ... }:
{ lib, pkgs, ... }:
let
gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ]
++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
@ -9,30 +9,23 @@ in
../modules/hardware/supermicro-H12SSL-i.nix
../modules/iperf-server.nix
../modules/hypervisor.nix
../modules/hydra/coordinator.nix
../modules/android-cache.nix
../modules/garage.nix
../modules/users/friends.nix
../modules/bagel-container.nix
../modules/lix-bug-details-pls
];
# Include debuginfo for Lix
environment.systemPackages = [
pkgs.lix.debug
pkgs.lix.passthru.capnproto-lix.debug
];
environment.pathsToLink = [
"/lib/debug"
];
networking.hostName = "epyc";
security.acme.acceptTerms = true;
security.acme.defaults.email = "epyc@lahfa.xyz";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
virtualisation.docker = {
enable = true;
rootless.enable = true;
};
# We want to use EEVDF and AMD-related niceties.
boot.kernelPackages = pkgs.linuxPackages_latest;
# Open public access to our PostgreSQL.
@ -43,7 +36,26 @@ in
'';
networking.firewall.allowedTCPPorts = [ 5432 ];
boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" ];
virtualisation.nvisor.vms = {
vm01 = {
config = { pkgs, ... }: {
environment.systemPackages = [ pkgs.hello ];
};
};
};
nix.buildMachines = [
{ hostName = "localhost";
systems = [
"x86_64-linux"
"riscv64-linux"
];
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ] ++ gcc-system-features "znver3";
maxJobs = 2;
}
];
boot.binfmt.emulatedSystems = [ "riscv64-linux" "aarch64-linux" "riscv64-linux" ];
simd.arch = "znver3";
system.stateVersion = "23.05";

46
modules/bagel-container.nix
View file

@ -1,46 +0,0 @@
# Stateful/mutable container used for Bagel (tm) related infra (mostly
# rebuilding nixpkgs a lot).
#
# System image is stored at /var/lib/machines/bagel.
{
systemd.nspawn.bagel = {
execConfig = {
Boot = true;
Ephemeral = false;
PrivateUsers = true;
NotifyReady = true;
LinkJournal = "try-guest";
};
networkConfig = {
Bridge = "wan-br";
VirtualEthernetExtra = "vb-bagel-v4:host1";
};
};
systemd.services."systemd-nspawn@bagel" = {
wantedBy = [ "machines.target" ];
wants = [ "network.target" ];
after = [ "network.target" ];
overrideStrategy = "asDropin";
};
systemd.network.networks."20-vb-bagel-v4" = {
matchConfig.Name = "vb-bagel-v4";
networkConfig.Address = [ "172.16.100.1/24" ];
networkConfig.IPMasquerade = true;
};
# Configure a local Nix builder account, since getting sandboxing and KVM
# working inside the container will be tricky.
users.users.bagel-builder = {
isSystemUser = true;
group = "nogroup";
home = "/var/empty";
shell = "/bin/sh";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
];
};
nix.settings.trusted-users = [ "bagel-builder" ];
}

1
modules/buildbot/default.nix
View file

@ -34,6 +34,7 @@ in
pkgs.gh
pkgs.nix
pkgs.nix-output-monitor
inputs.attic.packages.x86_64-linux.attic
];
environment.PYTHONPATH = "${python.withPackages (_: [package])}/${python.sitePackages}";
environment.MASTER_URL = ''TCP:2a01\\:e34\\:ec2a\\:8e60\\:8ec7\\:b5d2\\:f663\\:a67a:9989'';

32
modules/hardware/supermicro-H12SSL-i.nix
View file

@ -8,44 +8,28 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.kernelParams = [ "pci=realloc" "boot.shell_on_fail" ];
boot.kernelParams = [ "pci=realloc" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.services.lvm.enable = true;
boot.initrd.systemd.enable = true;
fileSystems."/experiments" =
{ device = "/dev/disk/by-uuid/40ef7d25-91c5-41e4-a40f-b0fb93658ffe";
fsType = "ext4";
};
boot.initrd.systemd.enable = lib.mkForce false;
fileSystems."/" =
{ device = "/dev/disk/by-uuid/53cc33a3-1488-44c4-8f5d-a2bc67914274";
fsType = "xfs";
{ device = "/dev/disk/by-uuid/3a81ba8f-f5bb-446c-89a3-ad77e354dae0";
fsType = "btrfs";
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/cee7b903-53f6-4967-b95d-654d34ccd460";
fsType = "xfs";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/5625935d-579b-41e4-be35-03df8437bc2c";
fsType = "xfs";
};
fileSystems."/var" =
{ device = "/dev/disk/by-uuid/33bf7f4e-37f5-4121-84ac-70d06964ea21";
fsType = "xfs";
boot.initrd.luks.devices."nixroot" = {
device = "/dev/disk/by-uuid/c10d2822-cb83-4666-98f8-0aa04be259bc";
keyFile = "/dev/zero";
keyFileSize = 1;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/AFF2-3149";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =

3
modules/hypervisor.nix
View file

@ -1,2 +1,5 @@
{ ... }: {
virtualisation.nvisor = {
enable = true;
};
}

40
modules/lix-bug-details-pls/0001-wip-complain-about-failing-goals-at-warn-level.patch
View file

@ -1,40 +0,0 @@
From 96937c58232ad6eaa11d1370220101c3ce2d00c3 Mon Sep 17 00:00:00 2001
From: Jade Lovelace <lix@jade.fyi>
Date: Thu, 29 Aug 2024 23:04:39 -0700
Subject: [PATCH] wip: complain about failing goals at warn level
I want to fix the bug that appears here:
error: build of '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' on 'ssh-ng://nix@epyc.infra.newtype.fr' failed: error: some dependencies of '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' are missing
error: builder for '/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-nixos-test-driver-nix-copy-closure.drv' failed with exit code 1
error: 1 dependencies of derivation '/nix/store/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-vm-test-run-nix-copy-closure.drv' failed to build
However, this is conditional on nrFailed, and I cannot for the life of
me figure out *who* is failing and *why*.
Hopefully with these data I can narrow down why this bug is happening
Change-Id: I7dca71b1c8ac92e7cc40c47ab37c952a7673cf42
---
src/libstore/build/worker.cc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/libstore/build/worker.cc b/src/libstore/build/worker.cc
index 1b4633e64..a93be28a6 100644
--- a/src/libstore/build/worker.cc
+++ b/src/libstore/build/worker.cc
@@ -160,7 +160,10 @@ void Worker::goalFinished(GoalPtr goal, Goal::Finished & f)
waiting->trace(fmt("waitee '%s' done; %d left", goal->name, waiting->waitees.size()));
- if (f.result != Goal::ecSuccess) ++waiting->nrFailed;
+ if (f.result != Goal::ecSuccess) {
+ ++waiting->nrFailed;
+ warn("Waiter %s experienced non-success of waitee %s with result %d", waiting->getName(), goal->getName(), f.result);
+ }
if (f.result == Goal::ecNoSubstituters) ++waiting->nrNoSubstituters;
if (f.result == Goal::ecIncompleteClosure) ++waiting->nrIncompleteClosure;
--
2.44.1

22
modules/lix-bug-details-pls/default.nix
View file

@ -1,22 +0,0 @@
{ ... }:
{
# jade: this exists because of a Lix bug that has me losing my damn mind and we really cannot debug it without either:
# * debug logs (infeasible. they are way too spammy)
# * patching lix (well look where we are)
#
# I don't really think it's necessarily appropriate to log at info level when
# a derivation fails on `main`, so here we have a yolopatch to get the damn
# thing in the log.
#
# I suspect it is a race condition with the garbage collector.
nixpkgs.overlays = [
(final: prev: {
lix = prev.lix.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
# This patch doesn't apply anymore.
# ./0001-wip-complain-about-failing-goals-at-warn-level.patch
];
});
})
];
}

25
modules/network.nix
View file

@ -14,8 +14,8 @@
'')
config.networking.newtype.hosts);
# leave container interfaces alone unless otherwise specified
systemd.network.networks."95-veth".extraConfig = ''
# leave container interfaces alone
systemd.network.networks."05-veth".extraConfig = ''
[Match]
Driver = veth
@ -34,27 +34,10 @@
linkConfig.Name = "nat-lan";
};
systemd.network.netdevs."10-wan-br" = {
netdevConfig.Name = "wan-br";
netdevConfig.Kind = "bridge";
netdevConfig.MACAddress = "none";
bridgeConfig.MulticastSnooping = false;
};
systemd.network.links."10-wan-br" = {
matchConfig.Name = "wan-br";
linkConfig.MACAddressPolicy = "none";
};
systemd.network.networks."10-wan-br" = {
matchConfig.Name = "wan-br";
linkConfig.RequiredForOnline = true;
networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "wan";
networkConfig.Bridge = "wan-br";
linkConfig.RequiredForOnline = true;
networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
};
systemd.network.links."10-wan" = {

15
modules/nix-daemon.nix
View file

@ -1,6 +1,7 @@
{ lib
, config
, pkgs
, inputs
, ...
}:
@ -29,14 +30,6 @@ in
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
];
# Makes the computer go faster.
# nixos.jobserver.enable = true;
# TODO(raito): rework this.
# Avoid weird failures for builders.
services.openssh.settings.MaxStartups = 100;
services.openssh.settings.MaxSessions = 100;
# Memory accounting techniques
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
@ -57,6 +50,10 @@ in
# Randomize GC to avoid thundering herd effects.
gc.randomizedDelaySec = "1800";
# Inchallah, it works.
package = pkgs.nixVersions.nix_2_18;
# package = lib.mkForce inputs.nixpkgs-unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_17;
# should be enough?
nrBuildUsers = 128;
@ -66,7 +63,7 @@ in
use-cgroups = true;
http-connections = 0;
auto-allocate-uids = true;
cores = 0;
cores = 64; # 128 is too much, it will explode the RAM for now. Let's keep it serious.
max-jobs = 2; # Do not build more than 2 derivations at once in the event, both of them are too big, yes this is stupid, fix it in Nix.
fsync-metadata = true;
substituters = [

8
modules/packages.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, inputs, ... }: {
{ pkgs, inputs, ... }: {
# this extends the list from:
# https://github.com/numtide/srvos/blob/master/server.nix#L10
environment.systemPackages = with pkgs; [
@ -6,6 +6,7 @@
whois
nix-output-monitor
inputs.attic.packages.x86_64-linux.attic
jq
psmisc
libarchive
@ -34,10 +35,9 @@
ethtool
usbutils
config.boot.kernelPackages.perf
pwru
ipmitool
nix-top
# tries to default to soft-float due to out-dated cc-rs
] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich;
}

36
modules/ssh-cursed.nix Normal file
View file

@ -0,0 +1,36 @@
{
programs.ssh.extraConfig = ''
Host telecom-bastion
HostName ssh.enst.fr
User jmalka
IdentityFile /home/luj/.ssh/id_ed25519
Host lame11
Hostname lame11.enst.fr
User nix-remote-builder
ProxyJump telecom-bastion
IdentityFile /home/luj/.ssh/id_ed25519
Host lame10
Hostname lame10.enst.fr
User nix-remote-builder
ProxyJump telecom-bastion
IdentityFile /home/luj/.ssh/id_ed25519
Host lame12
Hostname lame12.enst.fr
User nix-remote-builder
ProxyJump telecom-bastion
IdentityFile /home/luj/.ssh/id_ed25519
Host lame16
Hostname lame16.enst.fr
User nix-remote-builder
ProxyJump telecom-bastion
IdentityFile /home/luj/.ssh/id_ed25519
Host lame17
Hostname lame17.enst.fr
User nix-remote-builder
ProxyJump telecom-bastion
IdentityFile /home/luj/.ssh/id_ed25519
'';
}

5
modules/users/admins.nix
View file

@ -18,12 +18,13 @@ in
openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ];
};
# Luj
# Julien Malka
luj = {
isNormalUser = true;
home = "/home/luj";
inherit (config.users.users.raito);
extraGroups = extraGroups ++ [ "production-hydra-db" ];
shell = "/run/current-system/sw/bin/bash";
shell = "/run/current-system/sw/bin/zsh";
uid = 1001;
openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ];
};

25
modules/users/friends.nix
View file

@ -61,34 +61,11 @@ in
home = "/home/pennae";
shell = "/run/current-system/sw/bin/zsh";
uid = 2006;
# Raito: Allowed to debug jobserver.
extraGroups = [ "wheel" ] ++ trustedFriendGroups;
extraGroups = trustedFriendGroups;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wf5/IbyFpdziWfwxkQqxOf3r1L9pYn6xQBEKFwmMY"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK8icXjHkb4XzbIVN3djH4CE7RvgGd+3xbG4cgh0Yls5AAAABHNzaDo="
];
};
# Raito: Temporary account until next year, for delroth, who is going to work on building capabilities for improving build infrastructure.
delroth = {
isNormalUser = true;
home = "/home/delroth";
shell = "/run/current-system/sw/bin/zsh";
uid = 2007;
# Raito: Allowed to spawn new VMs and do various stuff for isolating the workloads.
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV"
];
};
# Raito: Temporary account for the next week, for VM testing in the context of the systemd-hardening project.
jmarquet = {
isNormalUser = true;
home = "/home/jmarquet";
uid = 2008;
expires = "2024-08-30";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d thejohncrafter@system76-pc"
];
};
};
}

3
modules/users/keys/akechi.keys
View file

@ -1 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICRDM7fyeGRgYzuW+falRZayYSf5xMwj2d2PI9vSyjOD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmC/lBooMyJZnyuU0/f6Qufi48DCEQ1RNT1l25cbvZWCXRrAJuQUTgb7u2nl8SEiQTRbZy/FTesaoPNBRWtWXK/8M0K58DeTMdNeTV8joW+vwEzRF3LPb9gU3FqCuuFFRqhJNC16cFBxXMCyjmktl8EG9o5yVcT/6HdwvXRKlas+EqXHlZblXxYQfCjWkpd3vzIoEfPwkUpQFlvLltTBT+EUWTiysvF8cCCuBx7EXHX++fNNySDoB9bQJ+sYoAvuhtfZ5eYNePpYQCV71KMEPYBqJ7AQpvdbMa34Rx7mghGCLk580qWTuXf/vqKRD4EAsvPYtK/xJNyjrCTX99TL60NIsBgNzQvvFFIaAsD91nD13gaEvybOjIo1lbzSZhbreX1qdWeUCR32HDUH4fEVv81VSaPbH2zxWqIf8bLDMJ7pCLKncyCZD1yVFCXsDV/J8BQq0c3GtFh3eEt59bkk6iU+LXv9dvwJtCvsp087Yh4qhj0L9z2zgczeljKJtFFTZhWbY3WEKiureoI7iPEJvLB8B6pGF0qQmIjbIIx6gtBoJc891w+XUmaXfHhWsVV7eq2y/AU7BvXAZp3LigWvosmPpoYsgjS0RNp2RJo2ufN6wKBtq+qv0xM+S6JvXo5pf2Oe11qp8hxF32MNv+djFK3Qf/JMkZAQd1Y/vW/Gg8Xw==
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5vbxUd8I+uF/OY/PpPhSzrLN14Waq82uyQXNPYpHjA

16
modules/users/keys/luj.keys
View file

@ -1,3 +1,13 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADCpuBL/kSZShtXD6p/Nq9ok4w1DnlSoxToYgdOvUqo julien@fischer
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAa0wll9ildhgPiV0DhgJXXtw3TQr5VkNxxxPspHSbX julien@gallifrey
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoYi9YFzovZfwrY3BUA3QqcyBE8gfNTncbs3qqkLbyY
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpGHx430EpJmbtJc8+lF1CpQ1gXeHT9OeZ08O8yzohF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaCGndojnmS5IoqHVMEPRfKuBZotMyqo7wNkAZJWigp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E=