Compare commits

...

8 commits

Author SHA1 Message Date
Yureka e80df3aef1 general quality of life improvements 2024-07-10 01:05:15 +02:00
Yureka 3dd46c665a add global hardening options 2024-07-10 01:05:15 +02:00
raito 664fa033aa Merge pull request 'hydra: wire up new builders' (#47) from hydra-wire-up into main
Reviewed-on: the-distro/infra#47
2024-07-09 23:00:27 +00:00
raito 2308870aa5 builders: add a nice tag to deploy all of them at once
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:59:31 +02:00
raito f9f955214f ssh-keys: add raito to secrets set
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:59:22 +02:00
raito 90e54d7292 terraform: add DNS records for VPN-GW & builders
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:55:42 +02:00
raito 645ad7d062 builders: add builder user
currently hardcoded to hydra's coordinator public key

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:55:25 +02:00
raito a30c1f7d78 hydra: wire up new builders
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-10 00:45:02 +02:00
10 changed files with 94 additions and 17 deletions

View file

@ -8,12 +8,5 @@ in {
keys.users.maxine ++ keys.users.maxine ++
keys.users.jade ++ keys.users.jade ++
keys.users.lukegb ++ keys.users.lukegb ++
keys.users.yuka ++ keys.users.yuka;
[
# more raito
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
];
} }

View file

@ -21,4 +21,10 @@
dates = "daily"; dates = "daily";
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
}; };
services.journald.extraConfig = "SystemMaxUse=512M";
boot.kernelParams = [
"panic=30" "boot.panic_on_fail"
];
} }

View file

@ -5,5 +5,6 @@
./raito-proxy-aware-nginx.nix ./raito-proxy-aware-nginx.nix
./base-server.nix ./base-server.nix
./sysadmin ./sysadmin
./hardening.nix
]; ];
} }

23
common/hardening.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, ... }:
{
nix.settings.allowed-users = [ "root" ];
boot.specialFileSystems = lib.mkIf (!config.security.rtkit.enable && !config.security.polkit.enable) {
"/proc".options = [ "hidepid=2" ];
};
boot.kernel.sysctl."kernel.dmesg_restrict" = 1;
services.openssh = {
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
# prevents mutable /home/$user/.ssh/authorized_keys from being loaded to ensure that all user keys are config managed
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
users.mutableUsers = false;
}

View file

@ -21,7 +21,13 @@
users = { users = {
delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ]; delroth = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3tjB4KYDok3KlWxdBp/yEmqhhmybd+w0VO4xUwLKKV" ];
raito = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp" ]; raito = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM="
];
k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ]; k900 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ];
maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ]; maxine = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpWQfhNFdrxMTP/1DwBVuk49f3df9iH7Tbdu8ltIKjr" ];
jade = [ jade = [

View file

@ -40,6 +40,11 @@
hydra.enable = true; hydra.enable = true;
hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra"; hydra.dbi = "dbi:Pg:dbname=hydra;user=hydra";
hydra.builders = [
"builder-0"
"builder-1"
];
ofborg.enable = true; ofborg.enable = true;
}; };

View file

@ -1,7 +1,7 @@
let let
keys = import common/ssh-keys.nix; keys = import common/ssh-keys.nix;
commonKeys = keys.users.delroth; commonKeys = keys.users.delroth ++ keys.users.raito;
secrets = with keys; { secrets = with keys; {
hydra-s3-credentials = [ machines.bagel-box ]; hydra-s3-credentials = [ machines.bagel-box ];

View file

@ -14,10 +14,23 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
users.users.builder = {
isSystemUser = true;
group = "nogroup";
home = "/var/empty";
shell = "/bin/sh";
openssh.authorizedKeys.keys = [
# Do not hardcode Hydra's public key, selectively
# add the keys of the coordinators that require us.
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
];
};
nix.settings.trusted-users = [ "builder" ];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
@ -45,6 +58,7 @@ in
networking.useNetworkd = true; networking.useNetworkd = true;
networking.hostName = "builder-${toString cfg.num}"; networking.hostName = "builder-${toString cfg.num}";
networking.domain = "wob01.infra.forkos.org";
systemd.network = { systemd.network = {
netdevs = { netdevs = {
@ -75,6 +89,7 @@ in
]; ];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; }; networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}"; deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
deployment.tags = [ "builders" ];
networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64 networking.nameservers = lib.mkForce ["2001:4860:4860::6464"]; # todo: other dns64

View file

@ -1,14 +1,28 @@
{ config, lib, pkgs, ... }: { nodes, config, lib, pkgs, ... }:
let let
cfg = config.bagel.services.hydra; cfg = config.bagel.services.hydra;
ssh-keys = import ../../common/ssh-keys.nix;
narCacheDir = "/var/cache/hydra/nar-cache"; narCacheDir = "/var/cache/hydra/nar-cache";
port = 3000; port = 3000;
mkCacheSettings = settings: builtins.concatStringsSep "&" ( mkCacheSettings = settings: builtins.concatStringsSep "&" (
lib.mapAttrsToList (k: v: "${k}=${v}") settings lib.mapAttrsToList (k: v: "${k}=${v}") settings
); );
mkBaremetalBuilder = { nrCores, publicHostKey, host, speedFactor ? 1, user ? "builder", supportedSystems ? [ "i686-linux" "x86_64-linux" ], supportedFeatures ? [ "big-parallel" "kvm" "nixos-test" ] }:
"ssh://${user}@${host} ${lib.concatStringsSep "," supportedSystems} ${config.age.secrets.hydra-ssh-key-priv.path} ${toString nrCores} ${toString speedFactor} ${lib.concatStringsSep "," supportedFeatures} - ${publicHostKey}";
# TODO:
# - generalize to new architectures
# - generalize to new features
baremetalBuilders = lib.concatStringsSep "\n"
(map (n: mkBaremetalBuilder {
nrCores = 40; # TODO: do not hardcode this, use the node's builder configuration.
publicHostKey = ssh-keys.machines.${n};
host = nodes.${n}.config.networking.fqdn;
}) cfg.builders);
in { in {
options.bagel.services.hydra = with lib; { options.bagel.services.hydra = with lib; {
enable = mkEnableOption "Hydra coordinator"; enable = mkEnableOption "Hydra coordinator";
@ -17,9 +31,19 @@ in {
type = types.str; type = types.str;
description = "DBI connection string for the Hydra postgres database"; description = "DBI connection string for the Hydra postgres database";
}; };
builders = mkOption {
type = types.listOf types.str;
description = "List of builders to configure for Hydra";
example = [ "builder-0" "builder-1" ];
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# TODO: we should assert or warn that the builders
# does indeed have our public SSH key and are *builders*
# as a simple evaluation preflight check.
age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age; age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner"; age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
@ -54,7 +78,8 @@ in {
buildMachinesFiles = [ buildMachinesFiles = [
(pkgs.writeText "hydra-builders.conf" '' (pkgs.writeText "hydra-builders.conf" ''
ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9YVDlJbml0MU1oS3Q0cmpCQU5McTB0MGJQd3cvV1FaOTZ1QjRBRURybWwgcm9vdEBuaXhvcwo= ssh://bagel-builder@epyc.infra.newtype.fr i686-linux,x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9YVDlJbml0MU1oS3Q0cmpCQU5McTB0MGJQd3cvV1FaOTZ1QjRBRURybWwgcm9vdEBuaXhvcwo=
'') ${baremetalBuilders}
'')
]; ];
extraConfig = '' extraConfig = ''

View file

@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
let let
inherit (lib) mkEnableOption mkIf tf; inherit (lib) mkEnableOption mkIf tf genList;
cfg = config.bagel.gandi; cfg = config.bagel.gandi;
in in
{ {
@ -43,7 +43,7 @@ in
}; };
}) records); }) records);
in forkosRecords [ in forkosRecords ([
# (record "@" 3600 "A" ["163.172.69.160"]) # (record "@" 3600 "A" ["163.172.69.160"])
(record "@" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"]) (record "@" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
@ -67,6 +67,9 @@ in
(record "loki" 3600 "CNAME" ["meta01.infra"]) (record "loki" 3600 "CNAME" ["meta01.infra"])
(record "mimir" 3600 "CNAME" ["meta01.infra"]) (record "mimir" 3600 "CNAME" ["meta01.infra"])
(record "matrix" 3600 "CNAME" ["meta01.infra"]) (record "matrix" 3600 "CNAME" ["meta01.infra"])
];
(record "vpn-gw.wob01.infra" 3600 "AAAA" [ "2a01:584:11::2" ])
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
] ++ map (index: record "builder-${toString index}.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 12));
}; };
} }