Compare commits
15 commits
caa2af0bb5
...
bed5ef022f
Author | SHA1 | Date | |
---|---|---|---|
bed5ef022f | |||
e6ead602f0 | |||
329f267b02 | |||
b14f155d55 | |||
c8208f42ef | |||
087d17c681 | |||
d2336262fb | |||
f35cfbd567 | |||
58325e30dd | |||
411d514ab9 | |||
f74d1ca0f6 | |||
70e608a8f7 | |||
4e869a9f43 | |||
3cbdbc45f7 | |||
7ba42d99d1 |
11 changed files with 111 additions and 7 deletions
|
@ -4,6 +4,7 @@
|
|||
nix.package = lib.mkDefault pkgs.lix;
|
||||
services.openssh.enable = lib.mkForce true;
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.logRefusedConnections = false;
|
||||
networking.firewall.logReversePathDrops = true;
|
||||
|
@ -33,4 +34,21 @@
|
|||
boot.kernelParams = [
|
||||
"panic=30" "boot.panic_on_fail"
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
# Set default TCP congestion control algorithm
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
|
||||
# Enable ECN
|
||||
"net.ipv4.tcp_ecn" = 1;
|
||||
|
||||
# Enable TCP fast open
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
};
|
||||
|
||||
# reduce closure size, feel free to add your locale here
|
||||
i18n.supportedLocales = [
|
||||
"en_US.UTF-8/UTF-8"
|
||||
"fr_FR.UTF-8/UTF-8"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
./admins.nix
|
||||
./base-server.nix
|
||||
./hardening.nix
|
||||
./nix.nix
|
||||
./raito-proxy-aware-nginx.nix
|
||||
./raito-vm.nix
|
||||
./sysadmin
|
||||
|
|
21
common/nix.nix
Normal file
21
common/nix.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
|
||||
# Provision a useful nixpkgs in NIX_PATH and flake registry on infra
|
||||
# machines.
|
||||
nixpkgs.flake = {
|
||||
source = lib.cleanSource pkgs.path;
|
||||
setNixPath = true;
|
||||
setFlakeRegistry = true;
|
||||
};
|
||||
|
||||
# Use our cache and trust its signing key. Still use cache.nixos.org as
|
||||
# fallback.
|
||||
nix.settings.substituters = [ "https://bagel-cache.s3-web.delroth.net/" ];
|
||||
nix.settings.trusted-public-keys = [
|
||||
"cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
|
||||
];
|
||||
}
|
|
@ -101,5 +101,7 @@
|
|||
fodwatch.imports = commonModules ++ [ ./hosts/fodwatch ];
|
||||
wob-vpn-gw.imports = commonModules ++ [ ./hosts/wob-vpn-gw ];
|
||||
} // builders;
|
||||
|
||||
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -39,8 +39,8 @@
|
|||
|
||||
hydra.enable = true;
|
||||
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
|
||||
# Takes 10 builders (0 → 9).
|
||||
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 9;
|
||||
# Takes 4 builders (0 → 3).
|
||||
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 4;
|
||||
|
||||
ofborg.enable = true;
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, ... }:
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
###### Hardware ######
|
||||
|
@ -86,6 +86,11 @@
|
|||
}) (lib.genList lib.id 12));
|
||||
};
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.firewall.extraInputRules = ''
|
||||
iifname { "bmc*" } meta nfproto ipv4 udp dport 67 accept comment "DHCP server"
|
||||
'';
|
||||
|
||||
networking.vlans = lib.listToAttrs (map (x: lib.nameValuePair "bmc${toString x}" {
|
||||
interface = "oob";
|
||||
id = 101 + x;
|
||||
|
@ -111,5 +116,7 @@
|
|||
|
||||
bagel.sysadmin.enable = true;
|
||||
|
||||
environment.systemPackages = [ pkgs.ipmitool ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
|
|
@ -5,6 +5,7 @@ let
|
|||
|
||||
secrets = with keys; {
|
||||
hydra-s3-credentials = [ machines.bagel-box ];
|
||||
hydra-signing-priv = [ machines.bagel-box ];
|
||||
hydra-ssh-key-priv = [ machines.bagel-box ];
|
||||
netbox-environment = [ machines.meta01 ];
|
||||
mimir-environment = [ machines.meta01 ];
|
||||
|
|
BIN
secrets/hydra-signing-priv.age
Normal file
BIN
secrets/hydra-signing-priv.age
Normal file
Binary file not shown.
|
@ -1,4 +1,4 @@
|
|||
{ lib, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.bagel.baremetal.builders;
|
||||
in
|
||||
|
@ -91,10 +91,25 @@ in
|
|||
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
|
||||
deployment.tags = [ "builders" ];
|
||||
|
||||
networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64
|
||||
# Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
. {
|
||||
bind lo
|
||||
forward . 2001:4860:4860::6464
|
||||
template ANY A { rcode NOERROR }
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
networking.resolvconf.useLocalResolver = true;
|
||||
|
||||
|
||||
bagel.sysadmin.enable = true;
|
||||
|
||||
environment.systemPackages = [ pkgs.ipmitool ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -48,6 +48,9 @@ in {
|
|||
|
||||
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
|
||||
|
||||
age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
|
||||
age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
|
||||
|
||||
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
|
||||
age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
|
||||
|
||||
|
@ -59,7 +62,16 @@ in {
|
|||
# XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
|
||||
#
|
||||
# Can be removed once this is added to some common config template.
|
||||
nix.settings.trusted-users = [ "root" "hydra" "@wheel" ];
|
||||
nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
|
||||
|
||||
# Because Hydra can't fetch flake inputs otherwise... also yes, this
|
||||
# prefix-based matching is absurdly bad.
|
||||
nix.settings.allowed-uris = [
|
||||
"github:"
|
||||
"https://github.com/"
|
||||
"https://git.lix.systems/"
|
||||
"https://git@git.lix.systems/"
|
||||
];
|
||||
|
||||
services.hydra-dev = {
|
||||
enable = true;
|
||||
|
@ -90,7 +102,7 @@ in {
|
|||
endpoint = "s3.delroth.net";
|
||||
region = "garage";
|
||||
|
||||
#secret-key = "TODO";
|
||||
secret-key = config.age.secrets.hydra-signing-priv.path;
|
||||
|
||||
compression = "zstd";
|
||||
log-compression = "br";
|
||||
|
|
|
@ -111,5 +111,32 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
|
||||
resource.hydra_project.infra = {
|
||||
name = "infra";
|
||||
display_name = "ForkOS Infra";
|
||||
description = "ForkOS infra repository";
|
||||
homepage = "https://git.lix.system/the-distro/infra";
|
||||
owner = "terraform";
|
||||
enabled = true;
|
||||
visible = true;
|
||||
};
|
||||
|
||||
resource.hydra_jobset.infra_main = {
|
||||
project = config.resource.hydra_project.infra.name;
|
||||
state = "enabled";
|
||||
visible = true;
|
||||
name = "main";
|
||||
type = "flake";
|
||||
description = "main branch for the infra repo";
|
||||
|
||||
flake_uri = "git+https://git.lix.systems/the-distro/infra";
|
||||
|
||||
check_interval = 600;
|
||||
scheduling_shares = 3000;
|
||||
keep_evaluations = 5;
|
||||
|
||||
email_notifications = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue