Compare commits

...

14 Commits

Author SHA1 Message Date
86b10535de
weasel: add custom nix-serve 2025-10-06 14:48:15 +02:00
f8a53b368d
Add https github to allowed uris 2025-10-02 17:54:50 +02:00
d95d4962aa
Make hydra shut up 2025-10-02 17:54:49 +02:00
41d0b157c8
Add bscpm and gitlab-internal to allowed-uris 2025-10-02 17:54:49 +02:00
f30682ff1b
weasel: enable hydra tcp port in firewall 2025-10-02 17:54:49 +02:00
8d45192a7f
hydra: set listen host 2025-10-02 17:54:49 +02:00
e74ec52fd9
Enable hydra on weasel 2025-10-02 17:54:49 +02:00
6a6929fa39
weasel: use tent cache 2025-10-02 17:54:49 +02:00
cdebb58971
Add nixfmt-rfc-style to common packages 2025-10-02 17:54:49 +02:00
8ee391ed42
Add packages to user abonerib 2025-10-02 17:54:48 +02:00
13330eb537
Add nix-output-monitor to default packages 2025-10-02 17:54:48 +02:00
ea4cc89d17
Set fish shell for user abonerib 2025-10-02 17:54:48 +02:00
366615774f
weasel: create user folders in /var/lib/podman-users
/home is a nfs mount, which does not support extra filesystem arguments
needed to run podman. We need to have a local home.
2025-10-02 17:54:48 +02:00
23ec609737
weasel: add podman 2025-10-02 17:54:48 +02:00
7 changed files with 126 additions and 1 deletions

View File

@ -18,5 +18,6 @@
./base/users.nix
./base/watchdog.nix
./base/zsh.nix
./base/fish.nix
];
}

View File

@ -5,6 +5,8 @@
vim wget git htop tmux pciutils tcpdump ripgrep nix-index nixos-option
nix-diff ipmitool freeipmi ethtool lm_sensors cmake gnumake file tree
ncdu config.boot.kernelPackages.perf ldns pv
nix-output-monitor
nixfmt-rfc-style
# From bsckgs overlay
osumb
];

4
m/common/base/fish.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
programs.fish.enable = true;
}

View File

@ -87,6 +87,12 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIFiqXqt88VuUfyANkZyLJNiuroIITaGlOOTMhVDKjf abonerib@bsc"
];
shell = pkgs.fish;
packages = with pkgs; [
starship
jujutsu
neovim
];
};
vlopez = {

View File

@ -1,9 +1,11 @@
{ lib, ... }:
{ lib, pkgs, ... }:
{
imports = [
../common/ssf.nix
../module/hut-substituter.nix
./virtualization.nix
./hydra.nix
];
# Select this using the ID to avoid mismatches
@ -30,4 +32,22 @@
prefixLength = 24;
} ];
};
services.nix-serve = {
enable = true;
# Only listen locally, as we serve it via ssh
bindAddress = "127.0.0.1";
port = 5000;
package = pkgs.nix-serve-ng.overrideAttrs (oldAttrs: {
src = pkgs.fetchgit {
url = "https://jungle.bsc.es/git/abonerib/nix-serve-ng.git";
hash = "sha256-N6c3NozYqAGwmjf+k5GHOZzlcquDntrJwsZQ7O2sqtQ=";
};
});
secretKeyFile = "/var/cache-priv-key.pem";
# Public key:
# 10.0.40.6:8jBhIdXEBap+Qo+vc1/fnV9vj43A2oDk839EEheRr/U=
};
}

52
m/weasel/hydra.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, pkgs, lib, ... }:
{
services.hydra = {
enable = true;
# Wrap hydra so it puts quiet flag every time... This is dumb and annoying,
# but i can't override the systemd ExecStart without running into infinite
# recursion.
package = pkgs.symlinkJoin {
name = "hydra-quiet";
paths = [ pkgs.hydra ];
postBuild = ''
for prog in hydra-queue-runner hydra-evaluator ; do
prev=$(realpath $out/bin/$prog)
rm $out/bin/$prog
cat >$out/bin/$prog <<EOF
#!/bin/sh
args=()
for arg in "\$@"; do
if [ "\$arg" != "-v" ]; then
args+=("\$arg")
fi
done
exec $prev --quiet "\''${args[@]}"
EOF
chmod +x $out/bin/$prog
done
'';
};
hydraURL = "http://localhost:3001"; # externally visible URL
notificationSender = "hydra@jungle.bsc.es"; # e-mail of Hydra service
port = 3001;
# a standalone Hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
listenHost = "0.0.0.0"; # Force IPv4
};
systemd.services.hydra-send-stats.enable = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
nix.settings.extra-allowed-uris = [
"git+ssh://git@bscpm04.bsc.es"
"git+ssh://git@gitlab-internal.bsc.es"
"https://github.com"
"git+ssh://github.com"
];
}

View File

@ -0,0 +1,40 @@
{
lib,
pkgs,
config,
...
}:
{
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
podman = {
enable = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
# We cannot use /home since nfs does not support fileattrs needed by podman
systemd.tmpfiles.settings = {
"podman-users" = lib.mapAttrs' (
name: value:
lib.nameValuePair ("/var/lib/podman-users/" + name) {
d = {
group = value.group;
mode = value.homeMode;
user = name;
};
}
) (lib.filterAttrs (_: x: x.isNormalUser) config.users.users);
};
# Useful other development tools
environment.systemPackages = with pkgs; [
dive # look into docker image layers
podman-tui # status of containers in the terminal
podman-compose # start group of containers for dev
];
}