weasel: nix-serve bind to 0.0.0.0

weasel: add custom nix-serve
Proper override for haskell package madness Fix nix-serve-ng override
2025-10-08 15:24:41 +02:00 · 2025-10-08 15:24:41 +02:00 · 2025-10-08 15:24:41 +02:00 · 2025-10-08 15:24:40 +02:00 · 2025-10-08 15:24:40 +02:00 · 2025-10-08 15:24:40 +02:00
13 changed files with 140 additions and 15 deletions
--- a/m/common/base.nix
+++ b/m/common/base.nix
@ -18,5 +18,6 @@
    ./base/users.nix
    ./base/watchdog.nix
    ./base/zsh.nix
+    ./base/fish.nix
  ];
 }
--- a/m/common/base/env.nix
+++ b/m/common/base/env.nix
@ -5,6 +5,8 @@
    vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
    nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
    ncdu config.boot.kernelPackages.perf ldns pv
+    nix-output-monitor
+    nixfmt-rfc-style
    # From bsckgs overlay
    osumb
  ];
--- a/m/common/base/fish.nix
+++ b/m/common/base/fish.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  programs.fish.enable = true;
+}
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@ -87,6 +87,12 @@
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
        ];
+        shell = pkgs.fish;
+        packages = with pkgs; [
+          starship
+          jujutsu
+          neovim
+        ];
      };

      vlopez = {
--- a/m/weasel/configuration.nix
+++ b/m/weasel/configuration.nix
@ -1,9 +1,11 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:

 {
  imports = [
    ../common/ssf.nix
    ../module/hut-substituter.nix
+    ./virtualization.nix
+    ./hydra.nix
  ];

  # Select this using the ID to avoid mismatches
@ -30,4 +32,23 @@
      prefixLength = 24;
    } ];
  };
+
+  services.nix-serve = {
+    enable = true;
+    bindAddress = "0.0.0.0";
+    port = 5000;
+    package = pkgs.haskell.lib.overrideSrc (pkgs.haskell.packages.ghc96.nix-serve-ng.override { nix = pkgs.nixVersions.nix_2_28; }) {
+      src = pkgs.fetchgit {
+        url = "https://jungle.bsc.es/git/abonerib/nix-serve-ng.git";
+        rev = "9c056641300a826db66b66d7e584b2541d38927a";
+        hash = "sha256-y69ZchFiZOU71eyeljcQgLxkLk5JUzZfanq8Yzw4MkI=";
+      };
+      version = "unstable";
+    };
+
+    secretKeyFile = "/var/cache-priv-key.pem";
+    # Public key:
+    # 10.0.40.6:8jBhIdXEBap+Qo+vc1/fnV9vj43A2oDk839EEheRr/U=
+  };
+
 }
--- a/m/weasel/hydra.nix
+++ b/m/weasel/hydra.nix
@ -0,0 +1,52 @@
+{ config, pkgs, lib, ... }:
+{
+  services.hydra = {
+    enable = true;
+
+    # Wrap hydra so it puts quiet flag every time... This is dumb and annoying,
+    # but i can't override the systemd ExecStart without running into infinite
+    # recursion.
+    package = pkgs.symlinkJoin {
+      name = "hydra-quiet";
+      paths = [ pkgs.hydra ];
+      postBuild = ''
+        for prog in hydra-queue-runner hydra-evaluator ; do
+          prev=$(realpath $out/bin/$prog)
+          rm $out/bin/$prog
+          cat >$out/bin/$prog <<EOF
+        #!/bin/sh
+        args=()
+        for arg in "\$@"; do
+          if [ "\$arg" != "-v" ]; then
+            args+=("\$arg")
+          fi
+        done
+        exec $prev --quiet "\''${args[@]}"
+        EOF
+
+          chmod +x $out/bin/$prog
+        done
+      '';
+    };
+
+    hydraURL = "http://localhost:3001"; # externally visible URL
+    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
+    port = 3001;
+    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [ ];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+    listenHost = "0.0.0.0"; # Force IPv4
+  };
+
+  systemd.services.hydra-send-stats.enable = lib.mkForce false;
+
+  networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+
+  nix.settings.extra-allowed-uris = [
+    "git+ssh://git@bscpm04.bsc.es"
+    "git+ssh://git@gitlab-internal.bsc.es"
+    "https://github.com"
+    "git+ssh://github.com"
+  ];
+}
--- a/m/weasel/virtualization.nix
+++ b/m/weasel/virtualization.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # Enable common container config files in /etc/containers
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # We cannot use /home since nfs does not support fileattrs needed by podman
+  systemd.tmpfiles.settings = {
+    "podman-users" = lib.mapAttrs' (
+      name: value:
+      lib.nameValuePair ("/var/lib/podman-users/" + name) {
+        d = {
+          group = value.group;
+          mode = value.homeMode;
+          user = name;
+        };
+      }
+    ) (lib.filterAttrs (_: x: x.isNormalUser) config.users.users);
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    dive # look into docker image layers
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}
--- a/overlay.nix
+++ b/overlay.nix
@ -62,7 +62,7 @@ let
  };

  tests = rec {
-    #hwloc = callPackage ./test/bugs/hwloc.nix { }; # Broken, no /sys
+    hwloc = callPackage ./test/bugs/hwloc.nix { };
    #sigsegv = callPackage ./test/reproducers/sigsegv.nix { };
    hello-c = callPackage ./test/compilers/hello-c.nix { };
    hello-cpp = callPackage ./test/compilers/hello-cpp.nix { };
--- a/test/bugs/hwloc.nix
+++ b/test/bugs/hwloc.nix
@ -6,6 +6,7 @@

 stdenv.mkDerivation {
  name = "hwloc-test";
+  requiredSystemFeatures = [ "sys-devices" ];

  src = ./.;

@ -14,7 +15,7 @@ stdenv.mkDerivation {
  buildPhase = ''
    ls -l /sys
    gcc -lhwloc hwloc.c -o hwloc
-    strace ./hwloc
+    strace ./hwloc > $out
  '';

 }
--- a/test/compilers/clang-openmp-ld.nix
+++ b/test/compilers/clang-openmp-ld.nix
@ -23,9 +23,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildInputs = [ openmp ];

--- a/test/compilers/clang-openmp-nosv.nix
+++ b/test/compilers/clang-openmp-nosv.nix
@ -36,9 +36,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildInputs = [ nosv ];

--- a/test/compilers/clang-openmp.nix
+++ b/test/compilers/clang-openmp.nix
@ -24,9 +24,8 @@ in stdenv.mkDerivation {
  dontUnpack = true;
  dontConfigure = true;

-  # nOS-V requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+  # nOS-V requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];

  buildPhase = ''
    set -x
--- a/test/compilers/ompss2.nix
+++ b/test/compilers/ompss2.nix
@ -25,9 +25,10 @@ stdenv.mkDerivation rec {
  hardeningDisable = [ "all" ];
  #NIX_DEBUG = 1;
  buildInputs = [ ]; #strace gdb;
-  # NODES requires access to /sys/devices to request NUMA information. It will
-  # fail to run otherwise, so we disable the sandbox for this test.
-  __noChroot = true;
+
+  # NODES requires access to /sys/devices to request NUMA information
+  requiredSystemFeatures = [ "sys-devices" ];
+
  buildPhase = ''
    set -x
    #$CC -v
Author	SHA1	Message	Date
Aleix Boné	0b047b7272	weasel: nix-serve bind to 0.0.0.0	2025-10-08 15:24:41 +02:00
Aleix Boné	354c11c329	weasel: add custom nix-serve Proper override for haskell package madness Fix nix-serve-ng override	2025-10-08 15:24:41 +02:00
Aleix Boné	6a01158c43	Add https github to allowed uris	2025-10-08 15:24:41 +02:00
Aleix Boné	d7f92a9126	Make hydra shut up	2025-10-08 15:24:40 +02:00
Aleix Boné	ed6cb7e6ea	Add bscpm and gitlab-internal to allowed-uris	2025-10-08 15:24:40 +02:00
Aleix Boné	ed8eafba79	weasel: enable hydra tcp port in firewall	2025-10-08 15:24:40 +02:00
Aleix Boné	937f08d11c	hydra: set listen host	2025-10-08 15:24:40 +02:00
Aleix Boné	71b8198e4a	Enable hydra on weasel	2025-10-08 15:24:40 +02:00
Aleix Boné	1a5ba3b930	weasel: use tent cache	2025-10-08 15:24:40 +02:00
Aleix Boné	a057c2e5f5	Add nixfmt-rfc-style to common packages	2025-10-08 15:24:40 +02:00
Aleix Boné	7e4fb6bccf	Add packages to user abonerib	2025-10-08 15:24:39 +02:00
Aleix Boné	b5b90826a7	Add nix-output-monitor to default packages	2025-10-08 15:24:39 +02:00
Aleix Boné	b5140eda17	Set fish shell for user abonerib	2025-10-08 15:24:39 +02:00
Aleix Boné	6a89c4de90	weasel: create user folders in /var/lib/podman-users /home is a nfs mount, which does not support extra filesystem arguments needed to run podman. We need to have a local home.	2025-10-08 15:24:39 +02:00
Aleix Boné	8369b1207e	weasel: add podman	2025-10-08 15:24:39 +02:00
Aleix Boné	f2bf4970c9	Replace __noChroot with requiredSystemFeatures	2025-10-08 13:54:54 +02:00
Rodrigo Arias Mallo	4b4fe9bb3d	Add hwloc test with sys-devices feature	2025-10-07 17:34:46 +02:00