feat: introduce tenant-specific extra build capacity

At Lix, we have few aarch64-linux and aarch64-darwin systems we use to
boost our CI.

This is a module to handle tenant-specific extra build capacity without
it leaking over the rest of the deployment.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2024-10-05 18:06:23 +02:00
parent 6978c1271d
commit 002db9a78f
4 changed files with 54 additions and 1 deletions

View file

@ -31,7 +31,7 @@
automatic = true; automatic = true;
persistent = true; persistent = true;
dates = lib.mkDefault "daily"; dates = lib.mkDefault "daily";
options = "--delete-older-than 30d"; options = lib.mkDefault "--delete-older-than 30d";
}; };
services.journald.extraConfig = "SystemMaxUse=512M"; services.journald.extraConfig = "SystemMaxUse=512M";

View file

@ -14,5 +14,6 @@
./buildbot ./buildbot
./newsletter ./newsletter
./s3-revproxy ./s3-revproxy
./extra-builders
]; ];
} }

View file

@ -0,0 +1,6 @@
{
imports = [
# Remote builders
./provider.nix
];
}

View file

@ -0,0 +1,46 @@
## Tenant-specific build capacity.
## This can come from anywhere and is not hold to the same level of responsibility that our build-infra has.
{ pkgs, config, lib, nodes, ... }:
let
inherit (lib) mkIf types mkEnableOption mkOption;
freeGbDiskSpace = 10;
cfg = config.bagel.builders.extra-build-capacity.provider;
in
{
options.bagel.builders.extra-build-capacity.provider = {
enable = mkEnableOption "providing of extra build capacity to other systems";
buildfarmPublicKeys = mkOption {
type = types.listOf types.str;
description = "SSH public keys to allow to connect for remote builds";
};
# TODO: register tenant in some deployment wide module
# so that the consumer side can just automatically generate buildMachines entries.
tenant = mkOption {
type = types.enum [ "lix" ];
};
};
config = mkIf cfg.enable {
users.groups.builders = {};
users.users.nix = {
openssh.authorizedKeys.keys = cfg.buildfarmPublicKeys;
extraGroups = [ "builders" ];
isNormalUser = true;
};
nix.settings.allowed-users = [ "@wheel" "@builders" ];
nix.settings.trusted-users = [ "@builders" ];
nix.gc.automatic = true;
nix.gc.dates = "hourly";
nix.gc.options = ''
--max-freed "$((${toString freeGbDiskSpace} * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"
'';
# Bump the open files limit so that non-root users can run NixOS VM tests, if supported at all.
security.pam.loginLimits = [
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
];
};
}