From 3fc53def4d430f6fae95884c3f4121b099a8414e Mon Sep 17 00:00:00 2001 From: magic_rb Date: Sat, 18 Nov 2023 14:09:40 +0100 Subject: [PATCH] Add nix signing key to hydra Signed-off-by: magic_rb --- nixng/containers/hydra/hydra.nix | 223 +++++++++++++++--------------- terranix/containers/hydra/job.hcl | 8 ++ 2 files changed, 122 insertions(+), 109 deletions(-) diff --git a/nixng/containers/hydra/hydra.nix b/nixng/containers/hydra/hydra.nix index ea50480..ad2249c 100644 --- a/nixng/containers/hydra/hydra.nix +++ b/nixng/containers/hydra/hydra.nix @@ -1,90 +1,97 @@ -{ makeSystem -, nixpkgs -, hydra +{ + makeSystem, + nixpkgs, + hydra, }: makeSystem { system = "x86_64-linux"; name = "nixng-hydra"; inherit nixpkgs; - config = { pkgs, config, lib, nglib, ... }: - { - config = { - dumb-init = { - enable = true; - type.services = {}; + config = { + pkgs, + config, + lib, + nglib, + ... + }: { + config = { + dumb-init = { + enable = true; + type.services = {}; + }; + nix = { + package = pkgs.nixUnstable; + loadNixDb = true; + persistNix = "/nix-persist"; + config = { + experimental-features = ["nix-command" "flakes"]; + sandbox = true; + trusted-public-keys = ["cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="]; + substituters = ["https://cache.nixos.org/"]; + ignored-acls = ["system.nfs4_acl"]; + allowed-uris = [ + "https://gitea.redalder.org" + "https://github.com" + "https://gitlab.com" + "https://git.sr.ht" + "https://raw.githubusercontent.com" + "https://patch-diff.githubusercontent.com" + "https://media.forgecdn.net" + ]; + + builders-use-substitutes = true; + builders = "@/etc/nix/machines"; + secret-key-files = "/secrets/nix-key.private"; + extra-platforms = ["i686-linux" "aarch64-linux"]; }; - nix = { - package = pkgs.nixUnstable; - loadNixDb = true; - persistNix = "/nix-persist"; - config = { - experimental-features = [ "nix-command" "flakes" ]; - sandbox = true; - trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - substituters = [ "https://cache.nixos.org/" ]; - ignored-acls = [ "system.nfs4_acl" ]; - allowed-uris = [ - "https://gitea.redalder.org" - "https://github.com" - "https://gitlab.com" - "https://git.sr.ht" - "https://raw.githubusercontent.com" - "https://patch-diff.githubusercontent.com" - "https://media.forgecdn.net" - ]; + }; + services.hydra = { + enable = true; + package = hydra.packages.x86_64-linux.hydra; + hydraURL = "https://hydra.redalder.org"; + notificationSender = "hydra@redalder.org"; + useSubstitutes = true; + adjustNiceness = true; - builders-use-substitutes = true; - builders = "@/etc/nix/machines"; - extra-platforms = [ "i686-linux" "aarch64-linux" ]; - }; - }; - services.hydra = { - enable = true; - package = hydra.packages.x86_64-linux.hydra; - hydraURL = "https://hydra.redalder.org"; - notificationSender = "hydra@redalder.org"; - useSubstitutes = true; - adjustNiceness = true; + minimumDiskFree = 200; + minimumDiskFreeEvaluator = 100; - minimumDiskFree = 200; - minimumDiskFreeEvaluator = 100; + dbiFile = "/local/dbi"; + config.evaluator_max_memory_size = "2048M"; + }; + services.socklog = { + enable = true; + unix = "/dev/log"; + }; - dbiFile = "/local/dbi"; - config.evaluator_max_memory_size = "2048M"; - }; - services.socklog = { - enable = true; - unix = "/dev/log"; - }; + init.services.pgpass = { + script = pkgs.writeShellScript "pgpass" '' + ln -nsf /secrets/pgpass /var/lib/hydra/pgpass + ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www + ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner - init.services.pgpass = { - script = pkgs.writeShellScript "pgpass" '' - ln -nsf /secrets/pgpass /var/lib/hydra/pgpass - ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www - ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner + chown hydra:hydra /secrets/pgpass + chown hydra-www:hydra /secrets/pgpass-www + chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner + sv down pgpass + ''; + enabled = true; + }; - chown hydra:hydra /secrets/pgpass - chown hydra-www:hydra /secrets/pgpass-www - chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner - sv down pgpass + services.crond.crontabs.autogc = { + jobs = let + storegc = + pkgs.writeShellScript "storegc" + '' + nix-collect-garbage -d ''; - enabled = true; - }; + in [ + "0 4 * * * ${storegc}" + ]; + }; - services.crond.crontabs.autogc = { - jobs = - let - storegc = pkgs.writeShellScript "storegc" - '' - nix-collect-garbage -d - ''; - in - [ - "0 4 * * * ${storegc}" - ]; - }; - - init.services.nix-daemon.environment.PATH = with pkgs; lib.makeBinPath [ + init.services.nix-daemon.environment.PATH = with pkgs; + lib.makeBinPath [ utillinux runit busybox @@ -92,46 +99,44 @@ makeSystem { gzip ]; - system.activation = - let - machines = pkgs.writeText "machines" '' - eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel - localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local - ''; - nix-machines = nglib.dag.dagEntryAnywhere '' - export PATH=${pkgs.busybox}/bin + system.activation = let + machines = pkgs.writeText "machines" '' + eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel + localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local + ''; + nix-machines = nglib.dag.dagEntryAnywhere '' + export PATH=${pkgs.busybox}/bin - mkdir -p /etc/nix - ln -s ${machines} /etc/nix/machines - ''; + mkdir -p /etc/nix + ln -s ${machines} /etc/nix/machines + ''; - ssh_config = pkgs.writeText "ssh_config" '' - Host eu.nixbuild.net - PubkeyAcceptedKeyTypes ssh-ed25519 - IdentityFile /ssh-key - ''; - ssh_known_hosts = pkgs.writeText "ssh_known_hosts" '' - eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM - ''; - ssh = nglib.dag.dagEntryAnywhere '' - export PATH=${pkgs.busybox}/bin + ssh_config = pkgs.writeText "ssh_config" '' + Host eu.nixbuild.net + PubkeyAcceptedKeyTypes ssh-ed25519 + IdentityFile /ssh-key + ''; + ssh_known_hosts = pkgs.writeText "ssh_known_hosts" '' + eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM + ''; + ssh = nglib.dag.dagEntryAnywhere '' + export PATH=${pkgs.busybox}/bin - mkdir -p /etc/ssh - ln -s ${ssh_config} /etc/ssh/ssh_config - ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts - ''; + mkdir -p /etc/ssh + ln -s ${ssh_config} /etc/ssh/ssh_config + ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts + ''; - ssh-key = nglib.dag.dagEntryAfter ["users"] '' - export PATH=${pkgs.busybox}/bin + ssh-key = nglib.dag.dagEntryAfter ["users"] '' + export PATH=${pkgs.busybox}/bin - cp /secrets/ssh-key /ssh-key - chmod 600 /ssh-key - chown hydra-queue-runner:root /ssh-key - ''; - in - { - inherit ssh-key ssh nix-machines; - }; + cp /secrets/ssh-key /ssh-key + chmod 600 /ssh-key + chown hydra-queue-runner:root /ssh-key + ''; + in { + inherit ssh-key ssh nix-machines; }; }; + }; } diff --git a/terranix/containers/hydra/job.hcl b/terranix/containers/hydra/job.hcl index a92e750..1fd4708 100644 --- a/terranix/containers/hydra/job.hcl +++ b/terranix/containers/hydra/job.hcl @@ -158,6 +158,14 @@ EOF destination = "secrets/pgpass-queue-runner" perms = "400" } + + template { + data = <