magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-21 23:54:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add nix signing key to hydra

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2023-11-18 14:09:40 +01:00
parent a62e03f81b
commit 3fc53def4d
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
2 changed files with 122 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

223
nixng/containers/hydra/hydra.nix
View file

@ -1,90 +1,97 @@
{ makeSystem {
, nixpkgs makeSystem,
, hydra nixpkgs,
hydra,
}: }:
makeSystem { makeSystem {
system = "x86_64-linux"; system = "x86_64-linux";
name = "nixng-hydra"; name = "nixng-hydra";
inherit nixpkgs; inherit nixpkgs;
config = { pkgs, config, lib, nglib, ... }: config = {
{ pkgs,
config = { config,
dumb-init = { lib,
enable = true; nglib,
type.services = {}; ...
}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
nix = {
package = pkgs.nixUnstable;
loadNixDb = true;
persistNix = "/nix-persist";
config = {
experimental-features = ["nix-command" "flakes"];
sandbox = true;
trusted-public-keys = ["cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="];
substituters = ["https://cache.nixos.org/"];
ignored-acls = ["system.nfs4_acl"];
allowed-uris = [
"https://gitea.redalder.org"
"https://github.com"
"https://gitlab.com"
"https://git.sr.ht"
"https://raw.githubusercontent.com"
"https://patch-diff.githubusercontent.com"
"https://media.forgecdn.net"
];
builders-use-substitutes = true;
builders = "@/etc/nix/machines";
secret-key-files = "/secrets/nix-key.private";
extra-platforms = ["i686-linux" "aarch64-linux"];
}; };
nix = { };
package = pkgs.nixUnstable; services.hydra = {
loadNixDb = true; enable = true;
persistNix = "/nix-persist"; package = hydra.packages.x86_64-linux.hydra;
config = { hydraURL = "https://hydra.redalder.org";
experimental-features = [ "nix-command" "flakes" ]; notificationSender = "hydra@redalder.org";
sandbox = true; useSubstitutes = true;
trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; adjustNiceness = true;
substituters = [ "https://cache.nixos.org/" ];
ignored-acls = [ "system.nfs4_acl" ];
allowed-uris = [
"https://gitea.redalder.org"
"https://github.com"
"https://gitlab.com"
"https://git.sr.ht"
"https://raw.githubusercontent.com"
"https://patch-diff.githubusercontent.com"
"https://media.forgecdn.net"
];
builders-use-substitutes = true; minimumDiskFree = 200;
builders = "@/etc/nix/machines"; minimumDiskFreeEvaluator = 100;
extra-platforms = [ "i686-linux" "aarch64-linux" ];
};
};
services.hydra = {
enable = true;
package = hydra.packages.x86_64-linux.hydra;
hydraURL = "https://hydra.redalder.org";
notificationSender = "hydra@redalder.org";
useSubstitutes = true;
adjustNiceness = true;
minimumDiskFree = 200; dbiFile = "/local/dbi";
minimumDiskFreeEvaluator = 100; config.evaluator_max_memory_size = "2048M";
};
services.socklog = {
enable = true;
unix = "/dev/log";
};
dbiFile = "/local/dbi"; init.services.pgpass = {
config.evaluator_max_memory_size = "2048M"; script = pkgs.writeShellScript "pgpass" ''
}; ln -nsf /secrets/pgpass /var/lib/hydra/pgpass
services.socklog = { ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www
enable = true; ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner
unix = "/dev/log";
};
init.services.pgpass = { chown hydra:hydra /secrets/pgpass
script = pkgs.writeShellScript "pgpass" '' chown hydra-www:hydra /secrets/pgpass-www
ln -nsf /secrets/pgpass /var/lib/hydra/pgpass chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner
ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www sv down pgpass
ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner '';
enabled = true;
};
chown hydra:hydra /secrets/pgpass services.crond.crontabs.autogc = {
chown hydra-www:hydra /secrets/pgpass-www jobs = let
chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner storegc =
sv down pgpass pkgs.writeShellScript "storegc"
''
nix-collect-garbage -d
''; '';
enabled = true; in [
}; "0 4 * * * ${storegc}"
];
};
services.crond.crontabs.autogc = { init.services.nix-daemon.environment.PATH = with pkgs;
jobs = lib.makeBinPath [
let
storegc = pkgs.writeShellScript "storegc"
''
nix-collect-garbage -d
'';
in
[
"0 4 * * * ${storegc}"
];
};
init.services.nix-daemon.environment.PATH = with pkgs; lib.makeBinPath [
utillinux utillinux
runit runit
busybox busybox
@ -92,46 +99,44 @@ makeSystem {
gzip gzip
]; ];
system.activation = system.activation = let
let machines = pkgs.writeText "machines" ''
machines = pkgs.writeText "machines" '' eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel
eu.nixbuild.net x86_64-linux,aarch64-linux,i686-linux - 100 5 benchmark,big-parallel localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local
localhost x86_64-linux - 2 1 benchmark,big-parallel,kvm,nixos-test,local '';
''; nix-machines = nglib.dag.dagEntryAnywhere ''
nix-machines = nglib.dag.dagEntryAnywhere '' export PATH=${pkgs.busybox}/bin
export PATH=${pkgs.busybox}/bin
mkdir -p /etc/nix mkdir -p /etc/nix
ln -s ${machines} /etc/nix/machines ln -s ${machines} /etc/nix/machines
''; '';
ssh_config = pkgs.writeText "ssh_config" '' ssh_config = pkgs.writeText "ssh_config" ''
Host eu.nixbuild.net Host eu.nixbuild.net
PubkeyAcceptedKeyTypes ssh-ed25519 PubkeyAcceptedKeyTypes ssh-ed25519
IdentityFile /ssh-key IdentityFile /ssh-key
''; '';
ssh_known_hosts = pkgs.writeText "ssh_known_hosts" '' ssh_known_hosts = pkgs.writeText "ssh_known_hosts" ''
eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM
''; '';
ssh = nglib.dag.dagEntryAnywhere '' ssh = nglib.dag.dagEntryAnywhere ''
export PATH=${pkgs.busybox}/bin export PATH=${pkgs.busybox}/bin
mkdir -p /etc/ssh mkdir -p /etc/ssh
ln -s ${ssh_config} /etc/ssh/ssh_config ln -s ${ssh_config} /etc/ssh/ssh_config
ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts
''; '';
ssh-key = nglib.dag.dagEntryAfter ["users"] '' ssh-key = nglib.dag.dagEntryAfter ["users"] ''
export PATH=${pkgs.busybox}/bin export PATH=${pkgs.busybox}/bin
cp /secrets/ssh-key /ssh-key cp /secrets/ssh-key /ssh-key
chmod 600 /ssh-key chmod 600 /ssh-key
chown hydra-queue-runner:root /ssh-key chown hydra-queue-runner:root /ssh-key
''; '';
in in {
{ inherit ssh-key ssh nix-machines;
inherit ssh-key ssh nix-machines;
};
}; };
}; };
};
} }

8
terranix/containers/hydra/job.hcl
View file

@ -158,6 +158,14 @@ EOF
destination = "secrets/pgpass-queue-runner" destination = "secrets/pgpass-queue-runner"
perms = "400" perms = "400"
} }
template {
data = <<EOF
{{ with secret "kv/data/cluster/hydra" }}{{ .Data.data.nix_signing_key }}{{ end }}
EOF
destination = "secrets/nix-key.private"
perms = "400"
}
} }
task "postgresql" { task "postgresql" {