weasel: add custom nix-serve

/home is a nfs mount, which does not support extra filesystem arguments
needed to run podman. We need to have a local home.

m/common/base.nix

@@ -11,11 +11,13 @@
     ./base/hw.nix
     ./base/net.nix
     ./base/nix.nix
+    ./base/sys-devices.nix
     ./base/ntp.nix
     ./base/rev.nix
     ./base/ssh.nix
     ./base/users.nix
     ./base/watchdog.nix
     ./base/zsh.nix
+    ./base/fish.nix
   ];
 }

m/common/base/env.nix

@@ -5,6 +5,8 @@
     vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
     nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
     ncdu config.boot.kernelPackages.perf ldns pv
+    nix-output-monitor
+    nixfmt-rfc-style
     # From bsckgs overlay
     osumb
   ];

m/common/base/fish.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  programs.fish.enable = true;
+}

m/common/base/sys-devices.nix

@@ -0,0 +1,9 @@
+{
+  nix.settings.system-features = [ "sys-devices" ];
+
+  programs.nix-required-mounts.enable = true;
+  programs.nix-required-mounts.allowedPatterns.sys-devices.paths = [
+    "/sys/devices/system/cpu"
+    "/sys/devices/system/node"
+  ];
+}

m/common/base/users.nix

@@ -87,6 +87,12 @@
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
         ];
+        shell = pkgs.fish;
+        packages = with pkgs; [
+          starship
+          jujutsu
+          neovim
+        ];
       };
 
       vlopez = {

m/fox/wireguard.nix

@@ -23,11 +23,11 @@
 
       peers = [
         # List of allowed peers.
-        { 
+        {
           name = "apex";
           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
           # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
-          allowedIPs = [ "10.106.0.30/32" ];
+          allowedIPs = [ "10.106.0.30/32" "10.0.40.7/32" ];
         }
         {
           name = "raccoon";
@@ -40,6 +40,7 @@
 
   networking.hosts = {
     "10.106.0.30" = [ "apex" ];
+    "10.0.40.7" = [ "hut" ];
     "10.106.0.236" = [ "raccoon" ];
     "10.0.44.4" = [ "tent" ];
   };

m/weasel/configuration.nix

@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 {
   imports = [
     ../common/ssf.nix
     ../module/hut-substituter.nix
+    ./virtualization.nix
+    ./hydra.nix
   ];
 
   # Select this using the ID to avoid mismatches
@@ -30,4 +32,22 @@
       prefixLength = 24;
     } ];
   };
+
+  services.nix-serve = {
+    enable = true;
+    # Only listen locally, as we serve it via ssh
+    bindAddress = "127.0.0.1";
+    port = 5000;
+    package = pkgs.nix-serve-ng.overrideAttrs (oldAttrs: {
+      src = pkgs.fetchgit {
+        url = "https://jungle.bsc.es/git/abonerib/nix-serve-ng.git";
+        hash = "";
+      };
+    });
+
+    # secretKeyFile = config.age.secrets.nixServe.path;
+    # Public key:
+    # jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=
+  };
+
 }

m/weasel/hydra.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, lib, ... }:
+{
+  services.hydra = {
+    enable = true;
+
+    # Wrap hydra so it puts quiet flag every time... This is dumb and annoying,
+    # but i can't override the systemd ExecStart without running into infinite
+    # recursion.
+    package = pkgs.symlinkJoin {
+      name = "hydra-quiet";
+      paths = [ pkgs.hydra ];
+      postBuild = ''
+        for prog in hydra-queue-runner hydra-evaluator ; do
+          prev=$(realpath $out/bin/$prog)
+          rm $out/bin/$prog
+          cat >$out/bin/$prog <<EOF
+        #!/bin/sh
+        args=()
+        for arg in "\$@"; do
+          if [ "\$arg" != "-v" ]; then
+            args+=("\$arg")
+          fi
+        done
+        exec $prev --quiet "\''${args[@]}"
+        EOF
+
+          chmod +x $out/bin/$prog
+        done
+      '';
+    };
+
+    hydraURL = "http://localhost:3001"; # externally visible URL
+    notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
+    port = 3001;
+    # a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [ ];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+    listenHost = "0.0.0.0"; # Force IPv4
+  };
+
+  systemd.services.hydra-send-stats.enable = lib.mkForce false;
+
+  networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
+
+  nix.settings.extra-allowed-uris = [
+    "git+ssh://git@bscpm04.bsc.es"
+    "git+ssh://git@gitlab-internal.bsc.es"
+    "https://github.com"
+    "git+ssh://github.com"
+  ];
+}

m/weasel/virtualization.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # Enable common container config files in /etc/containers
+  virtualisation.containers.enable = true;
+  virtualisation = {
+    podman = {
+      enable = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # We cannot use /home since nfs does not support fileattrs needed by podman
+  systemd.tmpfiles.settings = {
+    "podman-users" = lib.mapAttrs' (
+      name: value:
+      lib.nameValuePair ("/var/lib/podman-users/" + name) {
+        d = {
+          group = value.group;
+          mode = value.homeMode;
+          user = name;
+        };
+      }
+    ) (lib.filterAttrs (_: x: x.isNormalUser) config.users.users);
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    dive # look into docker image layers
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}